Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:778225
MD5:666c88fcf0d3bfeff2141ae4cd3c998f
SHA1:f24d13e05099aaeadda2933af13a01dd31defe6e
SHA256:2ffce4a30025c7b0c408da211a4a5c00c395c4933b94ecfa818a8c1aea5ae4d2
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4092 cmdline: C:\Users\user\Desktop\file.exe MD5: 666C88FCF0D3BFEFF2141AE4CD3C998F)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "77.73.133.62:22344", "Bot Id": "@new@2023", "Message": "Error!", "Authorization Header": "8284279aedaed026a9b7cb9c1c0be4e4"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x294bc:$pat14: , CommandLine:
        • 0x1dc09:$v2_1: ListOfProcesses
        • 0x1d3d7:$v4_3: base64str
        • 0x1d3a4:$v4_4: stringKey
        • 0x1d3e1:$v4_5: BytesToStringConverted
        • 0x1d3cc:$v4_6: FromBase64
        • 0x1d8bd:$v4_8: procName
        00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
            • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
            • 0x700:$s3: 83 EC 38 53 B0 AE 88 44 24 2B 88 44 24 2F B0 EF 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
            • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
            • 0x1e9d0:$s5: delete[]
            • 0x1de88:$s6: constructor or from DllMain.
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.2620000.6.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.file.exe.2620000.6.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x285d4:$pat14: , CommandLine:
              • 0x1cd21:$v2_1: ListOfProcesses
              • 0x1c4ef:$v4_3: base64str
              • 0x1c4bc:$v4_4: stringKey
              • 0x1c4f9:$v4_5: BytesToStringConverted
              • 0x1c4e4:$v4_6: FromBase64
              • 0x1c9d5:$v4_8: procName
              0.2.file.exe.2390000.4.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.file.exe.2390000.4.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x276bc:$pat14: , CommandLine:
                • 0x1be09:$v2_1: ListOfProcesses
                • 0x1b5d7:$v4_3: base64str
                • 0x1b5a4:$v4_4: stringKey
                • 0x1b5e1:$v4_5: BytesToStringConverted
                • 0x1b5cc:$v4_6: FromBase64
                • 0x1babd:$v4_8: procName
                0.2.file.exe.400000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 23 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.377.73.133.6249698223442850286 01/05/23-08:33:19.794738
                  SID:2850286
                  Source Port:49698
                  Destination Port:22344
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.377.73.133.6249698223442850027 01/05/23-08:33:15.942610
                  SID:2850027
                  Source Port:49698
                  Destination Port:22344
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:77.73.133.62192.168.2.322344496982850353 01/05/23-08:33:17.284418
                  SID:2850353
                  Source Port:22344
                  Destination Port:49698
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "77.73.133.62:22344", "Bot Id": "@new@2023", "Message": "Error!", "Authorization Header": "8284279aedaed026a9b7cb9c1c0be4e4"}

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                  Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: Binary string: C:\suyo14-voc-rukaxan.pdb source: file.exe
                  Source: Binary string: _.pdb source: file.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.247201095.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49698 -> 77.73.133.62:22344
                  Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49698 -> 77.73.133.62:22344
                  Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 77.73.133.62:22344 -> 192.168.2.3:49698
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 77.73.133.62:22344
                  Source: Joe Sandbox ViewASN Name: AS43260TR AS43260TR
                  Source: Joe Sandbox ViewIP Address: 77.73.133.62 77.73.133.62
                  Source: global trafficTCP traffic: 192.168.2.3:49698 -> 77.73.133.62:22344
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.73.133.62
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: file.exe, 00000000.00000002.320030058.0000000002B26000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: file.exe, 00000000.00000002.320030058.0000000002B26000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: file.exe, 00000000.00000002.319868177.0000000002AEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                  Source: file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: file.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                  Source: file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                  Source: file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                  Source: file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: file.exe, 00000000.00000002.314645028.00000000007F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.file.exe.2620000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.2390000.4.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.2390000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.22aabae.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.2390ee8.5.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.2620000.6.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.5e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.2390ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.3.file.exe.770000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.22aabae.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.22a9cc6.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.file.exe.22a9cc6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.314687772.0000000000807000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.313918869.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.file.exe.2620000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.2390000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.2390000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.22aabae.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.2390ee8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.2620000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.5e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.2390ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.3.file.exe.770000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.22aabae.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.22a9cc6.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.file.exe.22a9cc6.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.314687772.0000000000807000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.313918869.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408C600_2_00408C60
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DC110_2_0040DC11
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407C3F0_2_00407C3F
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418CCC0_2_00418CCC
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406CA00_2_00406CA0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004028B00_2_004028B0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A4BE0_2_0041A4BE
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004182440_2_00418244
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004016500_2_00401650
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402F200_2_00402F20
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004193C40_2_004193C4
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004187880_2_00418788
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402F890_2_00402F89
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402B900_2_00402B90
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004073A00_2_004073A0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02230C2E0_2_02230C2E
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02230C300_2_02230C30
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_058074480_2_05807448
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_058081800_2_05808180
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0580C1D00_2_0580C1D0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0580A1E80_2_0580A1E8
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0580BC880_2_0580BC88
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0580C5030_2_0580C503
                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: file.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs file.exe
                  Source: file.exe, 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exe, 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs file.exe
                  Source: file.exe, 00000000.00000003.247201095.00000000008C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs file.exe
                  Source: file.exe, 00000000.00000002.320916289.0000000003735000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exe, 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exe, 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exe, 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs file.exe
                  Source: file.exe, 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exe, 00000000.00000002.319492051.0000000002A7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs file.exe
                  Source: file.exe, 00000000.00000002.319492051.0000000002A7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l,\\StringFileInfo\\040904B0\\OriginalFilename vs file.exe
                  Source: file.exe, 00000000.00000002.319492051.0000000002A7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs file.exe
                  Source: file.exe, 00000000.00000002.319492051.0000000002A7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs file.exe
                  Source: file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs file.exe
                  Source: file.exe, 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRichens.exeH vs file.exe
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Wind?wsJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                  Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: 08A0_2_00413780
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\suyo14-voc-rukaxan.pdb source: file.exe
                  Source: Binary string: _.pdb source: file.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.247201095.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C40C push cs; iretd 0_2_0041C4E2
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00423149 push eax; ret 0_2_00423179
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C50E push cs; iretd 0_2_0041C4E2
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004231C8 push eax; ret 0_2_00423179
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E21D push ecx; ret 0_2_0040E230
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C6BE push ebx; ret 0_2_0041C6BF
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008099F0 push FFFFFFE1h; ret 0_2_008099FF
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080C93B push edi; retf 0_2_0080C93C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080F170 push cs; retf 0_2_0080F1E9
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_022343CD push ebp; retf 0_2_022343D0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02234C14 push cs; ret 0_2_02234C17
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Source: C:\Users\user\Desktop\file.exe TID: 2400Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 1768Thread sleep count: 3524 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 6084Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-27525
                  Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-27785
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 3524Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-27787
                  Source: file.exe, 00000000.00000002.315185531.00000000008C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: file.exe, 00000000.00000002.315185531.00000000008C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware18E_2DU2Win32_VideoControllerFN_PM3SZVideoController120060621000000.000000-00067789331display.infMSBDA3PUCB96YPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVV3CDAMO0ad49c6d16a3b6d\rY
                  Source: file.exe, 00000000.00000002.315185531.00000000008C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,0_2_0040ADB0
                  Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00807ED3 push dword ptr fs:[00000030h]0_2_00807ED3
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040E61C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00416F6A
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,0_2_004123F1
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,0_2_00417A20
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00412A15
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                  Source: file.exe, 00000000.00000002.314962542.0000000000867000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.324532388.00000000058B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 0.2.file.exe.2620000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22aabae.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390ee8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2620000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.5e0e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390ee8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.file.exe.770000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22aabae.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22a9cc6.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22a9cc6.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.313918869.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 4092, type: MEMORYSTR
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                  Source: file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                  Source: file.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: Yara matchFile source: 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 4092, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 0.2.file.exe.2620000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22aabae.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390ee8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2620000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.5e0e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.2390ee8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.file.exe.770000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22aabae.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22a9cc6.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.22a9cc6.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.313918869.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 4092, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts221
                  Windows Management Instrumentation                  		Path InterceptionPath Interception1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services1
                  Input Capture                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		1
                  Input Capture                  		261
                  Security Software Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		Exfiltration Over Bluetooth1
                  Non-Standard Port                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts2
                  Native API                  		Logon Script (Windows)Logon Script (Windows)231
                  Virtualization/Sandbox Evasion                  		Security Account Manager231
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares3
                  Data from Local System                  		Automated Exfiltration1
                  Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Deobfuscate/Decode Files or Information                  		NTDS11
                  Process Discovery                  		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Software Packing                  		Cached Domain Credentials134
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  windowsupdatebg.s.llnwi.net0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://tempuri.org/0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                  77.73.133.62:223440%URL Reputationsafe
                  http://www.w3.o0%URL Reputationsafe
                  http://tempuri.org/Entity/Id10%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  windowsupdatebg.s.llnwi.net
                  		95.140.236.128
                  		truefalseunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  77.73.133.62:22344true
                  • URL Reputation: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sctfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/Entity/Id2Responsefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencefile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/faultfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsatfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registerfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.ip.sb/ipfile.exe, 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/scfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id1Responsefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=file.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegofile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressingfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trustfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Noncefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/Renewfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentityfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/soap/envelope/file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://search.yahoo.com?fr=crmas_sfpffile.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trustfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbackfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/06/addressingexfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoorfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/Noncefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponsefile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressing/faultfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renewfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://www.w3.ofile.exe, 00000000.00000002.319868177.0000000002AEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentiffile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Committedfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/faultfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponsefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Cancelfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1file.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousfile.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrapfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2002/12/policyfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/sc/dkfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issuefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchfile.exe, 00000000.00000002.320805184.000000000370F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.319226379.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322727550.00000000038A2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.322526912.0000000003885000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323515796.000000000397D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318408132.0000000002918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321815681.0000000003807000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.317662722.0000000002801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323299525.0000000003920000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318026799.000000000288D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323046128.0000000003903000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321973962.0000000003824000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.320669483.00000000036F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321144845.0000000003789000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.321256153.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.318816272.00000000029A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issuefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Commitfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/Issuefile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCTfile.exe, 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://tempuri.org/Entity/Id1file.exe, 00000000.00000002.317014476.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000002.323606581.000000000399A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high

                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                            77.73.133.62
                                                                                                                                                                                                            		unknownKazakhstan
                                                                                                                                                                                                            		43260AS43260TRtrue

                                                                                                                                                                                                            General Information

                                                                                                                                                                                                            Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                                                                                                            Analysis ID:778225
                                                                                                                                                                                                            Start date and time:2023-01-05 08:32:07 +01:00
                                                                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                                                                            Overall analysis duration:0h 5m 57s
                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                            Sample file name:file.exe
                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                                            Number of analysed new started processes analysed:12
                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                            • HDC enabled
                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                            HDC Information:Failed
                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                            • Successful, ratio: 89%
                                                                                                                                                                                                            • Number of executed functions: 84
                                                                                                                                                                                                            • Number of non-executed functions: 28
                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 8.248.131.254, 67.26.75.254, 8.253.207.121, 8.253.207.120, 67.26.137.254, 209.197.3.8, 93.184.221.240
                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): www.bing.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, dual-a-0001.a-msedge.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, www-www.bing.com.trafficmanager.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net, www-bing-com.dual-a-0001.a-msedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net
                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                            08:33:28API Interceptor20x Sleep call for process: file.exe modified

                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                            IPs

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                            77.73.133.62file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                              file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                        file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                            file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                              file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                  file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                        file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                            file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                              file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousBrowse

                                                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                                                                    windowsupdatebg.s.llnwi.netB498478906628FECB57CCD1D01AC7F85D21E6335B63B8.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 95.140.236.128
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 95.140.236.0
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 41.63.96.0
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 41.63.96.0
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 178.79.242.0
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 95.140.236.0
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 95.140.236.128
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 41.63.96.0
                                                                                                                                                                                                                                                    rtf.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 178.79.242.0
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 178.79.242.0
                                                                                                                                                                                                                                                    #U5b89#U8d5b#U4e50#U7c73#U5854#U5c14#U89c4#U8303#U6307#U5357 .exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 41.63.96.0
                                                                                                                                                                                                                                                    dkzchHHFnI.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 95.140.236.0
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 41.63.96.128
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 41.63.96.128
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 41.63.96.128
                                                                                                                                                                                                                                                    payload.dll.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 95.140.236.128
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 95.140.236.128
                                                                                                                                                                                                                                                    hrc7tywY1s.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 95.140.236.128
                                                                                                                                                                                                                                                    3B15486651F5E552FE3A354485AA2751DD730B8C3DD4E.dllGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 178.79.242.128
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 41.63.96.128

                                                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                                                                    AS43260TRfile.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    SecuriteInfo.com.Variant.Lazy.256797.23345.3695.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.119
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    • 77.73.133.62

                                                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                    Size (bytes):2291
                                                                                                                                                                                                                                                    Entropy (8bit):5.3192079301865585
                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                    SSDEEP:48:MIHK5HKXRfHK7HKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHKx1qHAHxLHqH5HX:Pq5qXdq7qLqdqUqzcGYqhQnoPtIxHbqA
                                                                                                                                                                                                                                                    MD5:A374B6BA789CC3D1135615FFE61BB448
                                                                                                                                                                                                                                                    SHA1:7FC31737426CE659638FD9DDE50A11FBEB8D0FB5
                                                                                                                                                                                                                                                    SHA-256:D6C911C395022483BB1ACB6B9DF303E210FB80F2875C31BFF62404F2E10897D0
                                                                                                                                                                                                                                                    SHA-512:614289188EA2E2B9AC1A76AFEB60D8F5423E6BB9FF505D707B6E59D20F49530B1418640BA0160A76A3E27249ACEA4108AE10AEA163E34291D6DCD1EBF9C68953
                                                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b

                                                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                    Entropy (8bit):7.357018387882796
                                                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                    File name:file.exe
                                                                                                                                                                                                                                                    File size:370688
                                                                                                                                                                                                                                                    MD5:666c88fcf0d3bfeff2141ae4cd3c998f
                                                                                                                                                                                                                                                    SHA1:f24d13e05099aaeadda2933af13a01dd31defe6e
                                                                                                                                                                                                                                                    SHA256:2ffce4a30025c7b0c408da211a4a5c00c395c4933b94ecfa818a8c1aea5ae4d2
                                                                                                                                                                                                                                                    SHA512:13ea510475f5c54bd0849bfa464fd8d8f0eb49a97deeb579241d70ef37ec3ca38230be106b73b3a054b30c96885ed88172122fc24d4f95d238c1a6013d62dca1
                                                                                                                                                                                                                                                    SSDEEP:6144:45OL/4Vw30CgqHDS+tMLavr4SlyqAhFwn/rHOob4:45O74VwGqHe+tGaESlyqAHYrHA
                                                                                                                                                                                                                                                    TLSH:E074F021F693C435C6921A35083CA6E07A77BC725875DC4F33A43B3E5E712C06A667BA
                                                                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................;.Y.......Z.......L.......................K.......[.......^.....Rich............................PE..L.....zb...

                                                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                                                    Icon Hash:9062e090c6e73146

                                                                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                                    Entrypoint:0x40600e
                                                                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                    Time Stamp:0x627A050C [Tue May 10 06:24:12 2022 UTC]
                                                                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                                                                    OS Version Major:5
                                                                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                                                                    File Version Major:5
                                                                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                                                                    Import Hash:7bca87c7309353055aed194207c93e99

                                                                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                                                                    call 00007FD8ECE20179h
                                                                                                                                                                                                                                                    jmp 00007FD8ECE1AA9Eh
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    mov edx, dword ptr [esp+0Ch]
                                                                                                                                                                                                                                                    mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                                                                    test edx, edx
                                                                                                                                                                                                                                                    je 00007FD8ECE1AC8Bh
                                                                                                                                                                                                                                                    xor eax, eax
                                                                                                                                                                                                                                                    mov al, byte ptr [esp+08h]
                                                                                                                                                                                                                                                    test al, al
                                                                                                                                                                                                                                                    jne 00007FD8ECE1AC38h
                                                                                                                                                                                                                                                    cmp edx, 00000100h
                                                                                                                                                                                                                                                    jc 00007FD8ECE1AC30h
                                                                                                                                                                                                                                                    cmp dword ptr [0046AE2Ch], 00000000h
                                                                                                                                                                                                                                                    je 00007FD8ECE1AC27h
                                                                                                                                                                                                                                                    jmp 00007FD8ECE2022Dh
                                                                                                                                                                                                                                                    push edi
                                                                                                                                                                                                                                                    mov edi, ecx
                                                                                                                                                                                                                                                    cmp edx, 04h
                                                                                                                                                                                                                                                    jc 00007FD8ECE1AC53h
                                                                                                                                                                                                                                                    neg ecx
                                                                                                                                                                                                                                                    and ecx, 03h
                                                                                                                                                                                                                                                    je 00007FD8ECE1AC2Eh
                                                                                                                                                                                                                                                    sub edx, ecx
                                                                                                                                                                                                                                                    mov byte ptr [edi], al
                                                                                                                                                                                                                                                    add edi, 01h
                                                                                                                                                                                                                                                    sub ecx, 01h
                                                                                                                                                                                                                                                    jne 00007FD8ECE1AC18h
                                                                                                                                                                                                                                                    mov ecx, eax
                                                                                                                                                                                                                                                    shl eax, 08h
                                                                                                                                                                                                                                                    add eax, ecx
                                                                                                                                                                                                                                                    mov ecx, eax
                                                                                                                                                                                                                                                    shl eax, 10h
                                                                                                                                                                                                                                                    add eax, ecx
                                                                                                                                                                                                                                                    mov ecx, edx
                                                                                                                                                                                                                                                    and edx, 03h
                                                                                                                                                                                                                                                    shr ecx, 02h
                                                                                                                                                                                                                                                    je 00007FD8ECE1AC28h
                                                                                                                                                                                                                                                    rep stosd
                                                                                                                                                                                                                                                    test edx, edx
                                                                                                                                                                                                                                                    je 00007FD8ECE1AC2Ch
                                                                                                                                                                                                                                                    mov byte ptr [edi], al
                                                                                                                                                                                                                                                    add edi, 01h
                                                                                                                                                                                                                                                    sub edx, 01h
                                                                                                                                                                                                                                                    jne 00007FD8ECE1AC18h
                                                                                                                                                                                                                                                    mov eax, dword ptr [esp+08h]
                                                                                                                                                                                                                                                    pop edi
                                                                                                                                                                                                                                                    ret
                                                                                                                                                                                                                                                    mov eax, dword ptr [esp+04h]
                                                                                                                                                                                                                                                    ret
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                                                                                                    push edi
                                                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                                                    mov esi, dword ptr [ebp+0Ch]
                                                                                                                                                                                                                                                    mov ecx, dword ptr [ebp+10h]
                                                                                                                                                                                                                                                    mov edi, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                    mov eax, ecx
                                                                                                                                                                                                                                                    mov edx, ecx
                                                                                                                                                                                                                                                    add eax, esi
                                                                                                                                                                                                                                                    cmp edi, esi
                                                                                                                                                                                                                                                    jbe 00007FD8ECE1AC2Ah
                                                                                                                                                                                                                                                    cmp edi, eax
                                                                                                                                                                                                                                                    jc 00007FD8ECE1ADCAh
                                                                                                                                                                                                                                                    cmp ecx, 00000100h
                                                                                                                                                                                                                                                    jc 00007FD8ECE1AC41h
                                                                                                                                                                                                                                                    cmp dword ptr [0046AE2Ch], 00000000h
                                                                                                                                                                                                                                                    je 00007FD8ECE1AC38h
                                                                                                                                                                                                                                                    push edi
                                                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                                                    and edi, 0Fh

                                                                                                                                                                                                                                                    Rich Headers

                                                                                                                                                                                                                                                    Programming Language:
                                                                                                                                                                                                                                                    • [ASM] VS2008 build 21022
                                                                                                                                                                                                                                                    • [ C ] VS2008 build 21022
                                                                                                                                                                                                                                                    • [IMP] VS2005 build 50727
                                                                                                                                                                                                                                                    • [C++] VS2008 build 21022
                                                                                                                                                                                                                                                    • [RES] VS2008 build 21022
                                                                                                                                                                                                                                                    • [LNK] VS2008 build 21022

                                                                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x16dec0x3c.text
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x6b0000xbcb0.rsrc
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x12200x1c.text
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x43a00x40.text
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d4.text
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                    Sections

                                                                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                    .text0x10000x168500x16a00False0.5433895890883977data6.339213405332651IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                    .data0x180000x52e340x37c00False0.9675194436659192data7.927411246731437IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                    .rsrc0x6b0000xbcb00xbe00False0.3848889802631579data4.233070994447432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                    Resources

                                                                                                                                                                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                                                                    AFX_DIALOG_LAYOUT0x740a00x2data
                                                                                                                                                                                                                                                    AFX_DIALOG_LAYOUT0x740980x2data
                                                                                                                                                                                                                                                    AFX_DIALOG_LAYOUT0x740a80x2data
                                                                                                                                                                                                                                                    AFX_DIALOG_LAYOUT0x740b00x2data
                                                                                                                                                                                                                                                    AFX_DIALOG_LAYOUT0x740b80x2data
                                                                                                                                                                                                                                                    RT_CURSOR0x740c00x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
                                                                                                                                                                                                                                                    RT_CURSOR0x742080x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
                                                                                                                                                                                                                                                    RT_CURSOR0x743380xf0Device independent bitmap graphic, 24 x 48 x 1, image size 0
                                                                                                                                                                                                                                                    RT_CURSOR0x744280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                                                                                                                                                                                                                                                    RT_CURSOR0x755000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
                                                                                                                                                                                                                                                    RT_ICON0x6b6e00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SerbianItaly
                                                                                                                                                                                                                                                    RT_ICON0x6bda80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SerbianItaly
                                                                                                                                                                                                                                                    RT_ICON0x6c3100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SerbianItaly
                                                                                                                                                                                                                                                    RT_ICON0x6d3b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SerbianItaly
                                                                                                                                                                                                                                                    RT_ICON0x6d8600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSerbianItaly
                                                                                                                                                                                                                                                    RT_ICON0x6e7080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSerbianItaly
                                                                                                                                                                                                                                                    RT_ICON0x6efb00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSerbianItaly
                                                                                                                                                                                                                                                    RT_ICON0x6f6780x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSerbianItaly
                                                                                                                                                                                                                                                    RT_ICON0x6fbe00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600SerbianItaly
                                                                                                                                                                                                                                                    RT_ICON0x721880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224SerbianItaly
                                                                                                                                                                                                                                                    RT_ICON0x732300x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400SerbianItaly
                                                                                                                                                                                                                                                    RT_ICON0x73bb80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088SerbianItaly
                                                                                                                                                                                                                                                    RT_STRING0x75f180xeadataSerbianItaly
                                                                                                                                                                                                                                                    RT_STRING0x760080x348dataSerbianItaly
                                                                                                                                                                                                                                                    RT_STRING0x763500x682dataSerbianItaly
                                                                                                                                                                                                                                                    RT_STRING0x769d80x2d8dataSerbianItaly
                                                                                                                                                                                                                                                    RT_GROUP_CURSOR0x741f00x14data
                                                                                                                                                                                                                                                    RT_GROUP_CURSOR0x75da80x14data
                                                                                                                                                                                                                                                    RT_GROUP_CURSOR0x754d00x30data
                                                                                                                                                                                                                                                    RT_GROUP_ICON0x740200x76dataSerbianItaly
                                                                                                                                                                                                                                                    RT_GROUP_ICON0x6d8200x3edataSerbianItaly
                                                                                                                                                                                                                                                    RT_VERSION0x75dc00x154Encore not stripped - version 79

                                                                                                                                                                                                                                                    Imports

                                                                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                                                                    KERNEL32.dllGetConsoleAliasW, GetModuleHandleW, CreateDirectoryExW, ReadConsoleInputW, GetTempPathW, GetSystemDirectoryW, RemoveDirectoryW, OutputDebugStringA, GetProcAddress, LocalAlloc, GetBinaryTypeA, SearchPathA, VerifyVersionInfoA, SetProcessPriorityBoost, EndUpdateResourceA, FindNextFileW, FindFirstVolumeA, LocalShrink, GlobalFlags, _llseek, UpdateResourceA, CreateActCtxW, CopyFileW, AddConsoleAliasW, CreateMutexA, GetCurrentActCtx, GetDiskFreeSpaceA, MoveFileW, GetLogicalDriveStringsA, SetEvent, MoveFileExA, CreateMailslotA, WriteConsoleInputA, TerminateThread, GetCurrentProcess, RtlCaptureContext, InterlockedCompareExchange, GetFileTime, lstrcatA, FindFirstFileW, FreeEnvironmentStringsA, SetErrorMode, InterlockedExchangeAdd, MoveFileWithProgressA, GetTickCount, SetLastError, GetPrivateProfileStructW, VerSetConditionMask, LoadLibraryA, GetLastError, DeleteFileA, GetStartupInfoW, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleA, HeapFree, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RaiseException, VirtualAlloc, HeapReAlloc, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, RtlUnwind, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, ReadFile, HeapSize, CloseHandle, CreateFileA
                                                                                                                                                                                                                                                    GDI32.dllSetBrushOrgEx

                                                                                                                                                                                                                                                    Possible Origin

                                                                                                                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                    SerbianItaly

                                                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                    192.168.2.377.73.133.6249698223442850286 01/05/23-08:33:19.794738TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                                                                    192.168.2.377.73.133.6249698223442850027 01/05/23-08:33:15.942610TCP2850027ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                                                                    77.73.133.62192.168.2.322344496982850353 01/05/23-08:33:17.284418TCP2850353ETPRO MALWARE Redline Stealer TCP CnC - Id1Response223444969877.73.133.62192.168.2.3

                                                                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:15.515443087 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:15.538602114 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:15.538750887 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:15.942610025 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:15.966166019 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:16.011603117 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:17.261018991 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:17.284418106 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:17.339823008 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:19.794738054 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:19.821599960 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:19.821656942 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:19.821726084 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:19.821727991 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:19.821774006 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:19.821813107 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:19.821839094 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:19.871328115 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:32.675800085 CET4969822344192.168.2.377.73.133.62
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:32.700694084 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:32.701272011 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:32.701309919 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:32.754235029 CET223444969877.73.133.62192.168.2.3
                                                                                                                                                                                                                                                    Jan 5, 2023 08:33:32.800678015 CET4969822344192.168.2.377.73.133.62

                                                                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                    Jan 5, 2023 08:32:51.825423956 CET8.8.8.8192.168.2.30x1033No error (0)windowsupdatebg.s.llnwi.net95.140.236.128A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                    Jan 5, 2023 08:32:51.825423956 CET8.8.8.8192.168.2.30x1033No error (0)windowsupdatebg.s.llnwi.net178.79.242.0A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                    Jan 5, 2023 08:32:52.124833107 CET8.8.8.8192.168.2.30xa184No error (0)windowsupdatebg.s.llnwi.net95.140.236.0A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                    Jan 5, 2023 08:32:52.124833107 CET8.8.8.8192.168.2.30xa184No error (0)windowsupdatebg.s.llnwi.net178.79.242.0A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                                                                    Start time:08:32:56
                                                                                                                                                                                                                                                    Start date:05/01/2023
                                                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                                                    Commandline:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                                                    File size:370688 bytes
                                                                                                                                                                                                                                                    MD5 hash:666C88FCF0D3BFEFF2141AE4CD3C998F
                                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.316017890.0000000002390000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.246087746.0000000000881000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000003.245776794.0000000000770000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.315583461.0000000002269000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.316721099.0000000002620000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.314687772.0000000000807000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.313918869.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.313918869.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.317158042.0000000002712000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                    Reputation:low

                                                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                                                      Execution Coverage:9.8%
                                                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:29.1%
                                                                                                                                                                                                                                                      Signature Coverage:13.7%
                                                                                                                                                                                                                                                      Total number of Nodes:344
                                                                                                                                                                                                                                                      Total number of Limit Nodes:39
                                                                                                                                                                                                                                                      execution_graph 27449 2239000 27450 2239040 FindCloseChangeNotification 27449->27450 27452 2239071 27450->27452 27453 2230490 27454 22304b1 27453->27454 27455 223057a 27454->27455 27458 2236153 27454->27458 27461 2232344 27454->27461 27465 2238d80 27458->27465 27464 2238d80 VirtualProtect 27461->27464 27462 2232218 27462->27461 27463 2232368 27462->27463 27464->27462 27467 2238d93 27465->27467 27469 2238e30 27467->27469 27470 2238e78 VirtualProtect 27469->27470 27472 2236175 27470->27472 27473 807e56 27474 807e65 27473->27474 27477 8085f6 27474->27477 27478 808611 27477->27478 27479 80861a CreateToolhelp32Snapshot 27478->27479 27480 808636 Module32First 27478->27480 27479->27478 27479->27480 27481 808645 27480->27481 27482 807e6e 27480->27482 27484 8082b5 27481->27484 27485 8082e0 27484->27485 27486 8082f1 VirtualAlloc 27485->27486 27487 808329 27485->27487 27486->27487 27487->27487 27488 40cbdd 27489 40cbe9 __ioinit 27488->27489 27523 40d534 HeapCreate 27489->27523 27492 40cc46 27525 41087e GetModuleHandleW 27492->27525 27496 40cc57 __RTC_Initialize 27559 411a15 27496->27559 27499 40cc66 27500 40cc72 GetCommandLineA 27499->27500 27690 40e79a 63 API calls 3 library calls 27499->27690 27574 412892 27500->27574 27503 40cc71 27503->27500 27507 40cc97 27610 41255f 27507->27610 27511 40cca8 27625 40e859 27511->27625 27514 40ccb0 27515 40ccbb 27514->27515 27693 40e79a 63 API calls 3 library calls 27514->27693 27631 4019f0 OleInitialize 27515->27631 27518 40ccd8 27519 40ccea 27518->27519 27685 40ea0a 27518->27685 27694 40ea36 63 API calls _doexit 27519->27694 27522 40ccef __ioinit 27524 40cc3a 27523->27524 27524->27492 27688 40cbb4 63 API calls 3 library calls 27524->27688 27526 410892 27525->27526 27527 410899 27525->27527 27695 40e76a Sleep GetModuleHandleW 27526->27695 27529 410a01 27527->27529 27530 4108a3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27527->27530 27717 410598 7 API calls __decode_pointer 27529->27717 27532 4108ec TlsAlloc 27530->27532 27531 410898 27531->27527 27535 40cc4c 27532->27535 27536 41093a TlsSetValue 27532->27536 27535->27496 27689 40cbb4 63 API calls 3 library calls 27535->27689 27536->27535 27537 41094b 27536->27537 27696 40ea54 6 API calls 4 library calls 27537->27696 27539 410950 27697 41046e TlsGetValue 27539->27697 27542 41046e __encode_pointer 6 API calls 27543 41096b 27542->27543 27544 41046e __encode_pointer 6 API calls 27543->27544 27545 41097b 27544->27545 27546 41046e __encode_pointer 6 API calls 27545->27546 27547 41098b 27546->27547 27707 40d564 InitializeCriticalSectionAndSpinCount __ioinit 27547->27707 27549 410998 27549->27529 27708 4104e9 6 API calls __crt_waiting_on_module_handle 27549->27708 27551 4109ac 27551->27529 27709 411cba 27551->27709 27555 4109df 27555->27529 27556 4109e6 27555->27556 27716 4105d5 63 API calls 5 library calls 27556->27716 27558 4109ee GetCurrentThreadId 27558->27535 27746 40e1d8 27559->27746 27561 411a21 GetStartupInfoA 27562 411cba __calloc_crt 63 API calls 27561->27562 27568 411a42 27562->27568 27563 411c60 __ioinit 27563->27499 27564 411bdd GetStdHandle 27569 411ba7 27564->27569 27565 411cba __calloc_crt 63 API calls 27565->27568 27566 411c42 SetHandleCount 27566->27563 27567 411bef GetFileType 27567->27569 27568->27563 27568->27565 27568->27569 27571 411b2a 27568->27571 27569->27563 27569->27564 27569->27566 27569->27567 27748 41389c InitializeCriticalSectionAndSpinCount __ioinit 27569->27748 27570 411b53 GetFileType 27570->27571 27571->27563 27571->27569 27571->27570 27747 41389c InitializeCriticalSectionAndSpinCount __ioinit 27571->27747 27575 4128b0 GetEnvironmentStringsW 27574->27575 27576 4128cf 27574->27576 27577 4128b8 27575->27577 27579 4128c4 GetLastError 27575->27579 27576->27577 27578 412968 27576->27578 27580 4128eb GetEnvironmentStringsW 27577->27580 27581 4128fa WideCharToMultiByte 27577->27581 27582 412971 GetEnvironmentStrings 27578->27582 27583 40cc82 27578->27583 27579->27576 27580->27581 27580->27583 27586 41295d FreeEnvironmentStringsW 27581->27586 27587 41292e 27581->27587 27582->27583 27584 412981 27582->27584 27599 4127d7 27583->27599 27588 411c75 __malloc_crt 63 API calls 27584->27588 27586->27583 27749 411c75 27587->27749 27590 41299b 27588->27590 27592 4129a2 FreeEnvironmentStringsA 27590->27592 27593 4129ae _memcpy_s 27590->27593 27592->27583 27597 4129b8 FreeEnvironmentStringsA 27593->27597 27594 41293c WideCharToMultiByte 27595 412956 27594->27595 27596 41294e 27594->27596 27595->27586 27755 40b6b5 63 API calls 2 library calls 27596->27755 27597->27583 27600 4127f1 GetModuleFileNameA 27599->27600 27601 4127ec 27599->27601 27603 412818 27600->27603 27795 41446b 107 API calls __setmbcp 27601->27795 27789 41263d 27603->27789 27605 40cc8c 27605->27507 27691 40e79a 63 API calls 3 library calls 27605->27691 27607 411c75 __malloc_crt 63 API calls 27608 41285a 27607->27608 27608->27605 27609 41263d _parse_cmdline 73 API calls 27608->27609 27609->27605 27611 412568 27610->27611 27614 41256d _strlen 27610->27614 27797 41446b 107 API calls __setmbcp 27611->27797 27613 411cba __calloc_crt 63 API calls 27620 4125a2 _strlen 27613->27620 27614->27613 27617 40cc9d 27614->27617 27615 412600 27800 40b6b5 63 API calls 2 library calls 27615->27800 27617->27511 27692 40e79a 63 API calls 3 library calls 27617->27692 27618 411cba __calloc_crt 63 API calls 27618->27620 27619 412626 27801 40b6b5 63 API calls 2 library calls 27619->27801 27620->27615 27620->27617 27620->27618 27620->27619 27623 4125e7 27620->27623 27798 40ef42 63 API calls __strnicoll_l 27620->27798 27623->27620 27799 40e61c 10 API calls 2 library calls 27623->27799 27626 40e867 __IsNonwritableInCurrentImage 27625->27626 27802 413586 27626->27802 27628 40e885 __initterm_e 27630 40e8a4 __IsNonwritableInCurrentImage __initterm 27628->27630 27806 40d2bd 74 API calls __cinit 27628->27806 27630->27514 27632 401ab9 27631->27632 27807 40b99e 27632->27807 27634 401abf 27635 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 27634->27635 27665 402467 27634->27665 27636 401dc3 FindCloseChangeNotification GetModuleHandleA 27635->27636 27643 401c55 27635->27643 27820 401650 27636->27820 27638 401e8b FindResourceA LoadResource LockResource SizeofResource 27639 40b84d _malloc 63 API calls 27638->27639 27640 401ebf 27639->27640 27822 40af66 27640->27822 27642 401c9c CloseHandle 27642->27518 27643->27642 27648 401cf9 Module32Next 27643->27648 27644 401ecb _memset 27645 401efc SizeofResource 27644->27645 27646 401f1c 27645->27646 27647 401f5f 27645->27647 27646->27647 27860 401560 __VEC_memcpy __cftoe2_l 27646->27860 27650 401f92 _memset 27647->27650 27861 401560 __VEC_memcpy __cftoe2_l 27647->27861 27648->27636 27657 401d0f 27648->27657 27652 401fa2 FreeResource 27650->27652 27653 40b84d _malloc 63 API calls 27652->27653 27654 401fbb SizeofResource 27653->27654 27655 401fe5 _memset 27654->27655 27656 4020aa LoadLibraryA 27655->27656 27658 401650 27656->27658 27657->27642 27660 401dad Module32Next 27657->27660 27659 40216c GetProcAddress 27658->27659 27661 4021aa 27659->27661 27659->27665 27660->27636 27660->27657 27661->27665 27834 4018f0 27661->27834 27663 40243f 27663->27665 27862 40b6b5 63 API calls 2 library calls 27663->27862 27665->27518 27666 4021f1 27666->27663 27846 401870 27666->27846 27668 402269 VariantInit 27669 401870 76 API calls 27668->27669 27670 40228b VariantInit 27669->27670 27671 4022a7 27670->27671 27672 4022d9 SafeArrayCreate SafeArrayAccessData 27671->27672 27851 40b350 27672->27851 27675 40232c 27676 402354 SafeArrayDestroy 27675->27676 27684 40235b 27675->27684 27676->27684 27677 402392 SafeArrayCreateVector 27678 4023a4 27677->27678 27679 4023bc VariantClear VariantClear 27678->27679 27853 4019a0 27679->27853 27682 40242e 27683 4019a0 66 API calls 27682->27683 27683->27663 27684->27677 27884 40e8de 27685->27884 27687 40ea1b 27687->27519 27688->27492 27689->27496 27690->27503 27691->27507 27692->27511 27693->27515 27694->27522 27695->27531 27696->27539 27698 4104a7 GetModuleHandleW 27697->27698 27699 410486 27697->27699 27700 4104c2 GetProcAddress 27698->27700 27701 4104b7 27698->27701 27699->27698 27702 410490 TlsGetValue 27699->27702 27704 41049f 27700->27704 27718 40e76a Sleep GetModuleHandleW 27701->27718 27706 41049b 27702->27706 27704->27542 27705 4104bd 27705->27700 27705->27704 27706->27698 27706->27704 27707->27549 27708->27551 27711 411cc3 27709->27711 27712 4109c5 27711->27712 27713 411ce1 Sleep 27711->27713 27719 40e231 27711->27719 27712->27529 27715 4104e9 6 API calls __crt_waiting_on_module_handle 27712->27715 27714 411cf6 27713->27714 27714->27711 27714->27712 27715->27555 27716->27558 27718->27705 27720 40e23d __ioinit 27719->27720 27721 40e255 27720->27721 27729 40e274 _memset 27720->27729 27732 40bfc1 63 API calls __getptd_noexit 27721->27732 27723 40e25a 27733 40e744 6 API calls 2 library calls 27723->27733 27725 40e2e6 RtlAllocateHeap 27725->27729 27728 40e26a __ioinit 27728->27711 27729->27725 27729->27728 27734 40d6e0 27729->27734 27741 40def2 5 API calls 2 library calls 27729->27741 27742 40e32d LeaveCriticalSection _doexit 27729->27742 27743 40d2e3 6 API calls __decode_pointer 27729->27743 27732->27723 27735 40d6f5 27734->27735 27736 40d708 EnterCriticalSection 27734->27736 27744 40d61d 63 API calls 9 library calls 27735->27744 27736->27729 27738 40d6fb 27738->27736 27745 40e79a 63 API calls 3 library calls 27738->27745 27740 40d707 27740->27736 27741->27729 27742->27729 27743->27729 27744->27738 27745->27740 27746->27561 27747->27571 27748->27569 27750 411c7e 27749->27750 27752 411cb4 27750->27752 27753 411c95 Sleep 27750->27753 27756 40b84d 27750->27756 27752->27586 27752->27594 27754 411caa 27753->27754 27754->27750 27754->27752 27755->27595 27757 40b900 27756->27757 27766 40b85f 27756->27766 27783 40d2e3 6 API calls __decode_pointer 27757->27783 27759 40b906 27784 40bfc1 63 API calls __getptd_noexit 27759->27784 27764 40b8bc RtlAllocateHeap 27764->27766 27766->27764 27767 40b870 27766->27767 27768 40b8ec 27766->27768 27771 40b8f1 27766->27771 27773 40b8f8 27766->27773 27779 40b7fe 63 API calls 4 library calls 27766->27779 27780 40d2e3 6 API calls __decode_pointer 27766->27780 27767->27766 27774 40ec4d 63 API calls 2 library calls 27767->27774 27775 40eaa2 63 API calls 7 library calls 27767->27775 27776 40e7ee 27767->27776 27781 40bfc1 63 API calls __getptd_noexit 27768->27781 27782 40bfc1 63 API calls __getptd_noexit 27771->27782 27773->27750 27774->27767 27775->27767 27785 40e7c3 GetModuleHandleW 27776->27785 27779->27766 27780->27766 27781->27771 27782->27773 27783->27759 27784->27773 27786 40e7d7 GetProcAddress 27785->27786 27787 40e7ec ExitProcess 27785->27787 27786->27787 27788 40e7e7 CorExitProcess 27786->27788 27788->27787 27791 41265c 27789->27791 27793 4126c9 27791->27793 27796 416836 73 API calls x_ismbbtype_l 27791->27796 27792 4127c7 27792->27605 27792->27607 27793->27792 27794 416836 73 API calls _parse_cmdline 27793->27794 27794->27793 27795->27600 27796->27791 27797->27614 27798->27620 27799->27623 27800->27617 27801->27617 27803 41358c 27802->27803 27804 41046e __encode_pointer 6 API calls 27803->27804 27805 4135a4 27803->27805 27804->27803 27805->27628 27806->27630 27808 40b9aa __ioinit _strnlen 27807->27808 27809 40b9b8 27808->27809 27812 40b9ec 27808->27812 27863 40bfc1 63 API calls __getptd_noexit 27809->27863 27811 40b9bd 27864 40e744 6 API calls 2 library calls 27811->27864 27814 40d6e0 __lock 63 API calls 27812->27814 27815 40b9f3 27814->27815 27865 40b917 121 API calls 3 library calls 27815->27865 27817 40b9ff 27866 40ba18 LeaveCriticalSection _doexit 27817->27866 27818 40b9cd __ioinit 27818->27634 27821 4017cc _memcpy_s 27820->27821 27821->27638 27824 40af70 27822->27824 27823 40b84d _malloc 63 API calls 27823->27824 27824->27823 27825 40af8a 27824->27825 27829 40af8c std::bad_alloc::bad_alloc 27824->27829 27867 40d2e3 6 API calls __decode_pointer 27824->27867 27825->27644 27827 40afb2 27869 40af49 63 API calls std::exception::exception 27827->27869 27829->27827 27868 40d2bd 74 API calls __cinit 27829->27868 27830 40afbc 27870 40cd39 RaiseException 27830->27870 27833 40afca 27835 401903 lstrlenA 27834->27835 27836 4018fc 27834->27836 27871 4017e0 27835->27871 27836->27666 27839 401940 GetLastError 27841 40194b MultiByteToWideChar 27839->27841 27842 40198d 27839->27842 27840 401996 27840->27666 27843 4017e0 73 API calls 27841->27843 27842->27840 27879 401030 GetLastError 27842->27879 27844 401970 MultiByteToWideChar 27843->27844 27844->27842 27847 40af66 75 API calls 27846->27847 27848 40187c 27847->27848 27849 401885 SysAllocString 27848->27849 27850 4018a4 27848->27850 27849->27850 27850->27668 27852 40231a SafeArrayUnaccessData 27851->27852 27852->27675 27854 4019df VariantClear 27853->27854 27855 4019aa InterlockedDecrement 27853->27855 27854->27682 27855->27854 27856 4019b8 27855->27856 27856->27854 27857 4019c2 SysFreeString 27856->27857 27858 4019c9 27856->27858 27857->27858 27883 40aec0 64 API calls 2 library calls 27858->27883 27860->27646 27861->27650 27862->27665 27863->27811 27865->27817 27866->27818 27867->27824 27868->27827 27869->27830 27870->27833 27872 4017e9 27871->27872 27877 401844 27872->27877 27878 40182d 27872->27878 27880 40b783 73 API calls 4 library calls 27872->27880 27876 40186d MultiByteToWideChar 27876->27839 27876->27840 27877->27876 27882 40b743 63 API calls 2 library calls 27877->27882 27878->27877 27881 40b6b5 63 API calls 2 library calls 27878->27881 27880->27878 27881->27877 27882->27877 27883->27854 27885 40e8ea __ioinit 27884->27885 27886 40d6e0 __lock 63 API calls 27885->27886 27887 40e8f1 27886->27887 27888 40e9ba __initterm 27887->27888 27889 40e91d 27887->27889 27903 40e9f5 27888->27903 27908 4104e9 6 API calls __crt_waiting_on_module_handle 27889->27908 27893 40e928 27895 40e9aa __initterm 27893->27895 27909 4104e9 6 API calls __crt_waiting_on_module_handle 27893->27909 27894 40e9f2 __ioinit 27894->27687 27895->27888 27898 40e9e9 27899 40e7ee _fast_error_exit 4 API calls 27898->27899 27899->27894 27900 4104e0 6 API calls ___crtMessageBoxW 27901 40e93d 27900->27901 27901->27895 27901->27900 27902 4104e9 6 API calls __decode_pointer 27901->27902 27902->27901 27904 40e9d6 27903->27904 27905 40e9fb 27903->27905 27904->27894 27907 40d606 LeaveCriticalSection 27904->27907 27910 40d606 LeaveCriticalSection 27905->27910 27907->27898 27908->27893 27909->27901 27910->27904

                                                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                                                      Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 FindCloseChangeNotification GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 27 401ed6-401eed call 40ba30 7->27 28 401eef 7->28 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 21 401c98-401c9a 16->21 19 401c7d-401c83 17->19 20 401c8f-401c91 17->20 19->16 23 401c85-401c8d 19->23 20->21 24 401cb0-401cce call 401650 21->24 25 401c9c-401caf CloseHandle 21->25 23->14 23->20 32 401cd0-401cd4 24->32 31 401ef3-401f1a call 401300 SizeofResource 27->31 28->31 41 401f1c-401f2f 31->41 42 401f5f-401f69 31->42 35 401cf0-401cf2 32->35 36 401cd6-401cd8 32->36 40 401cf5-401cf7 35->40 38 401cda-401ce0 36->38 39 401cec-401cee 36->39 38->35 45 401ce2-401cea 38->45 39->40 40->25 46 401cf9-401d09 Module32Next 40->46 47 401f33-401f5d call 401560 41->47 43 401f73-401f75 42->43 44 401f6b-401f72 42->44 49 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 43->49 50 401f77-401f8d call 401560 43->50 44->43 45->32 45->39 46->7 51 401d0f 46->51 47->42 49->5 85 4021aa-4021c0 49->85 50->49 55 401d10-401d2e call 401650 51->55 61 401d30-401d34 55->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 67 401d55-401d57 63->67 65 401d3a-401d40 64->65 66 401d4c-401d4e 64->66 65->63 69 401d42-401d4a 65->69 66->67 67->25 70 401d5d-401d7b call 401650 67->70 69->61 69->66 77 401d80-401d84 70->77 79 401da0-401da2 77->79 80 401d86-401d88 77->80 84 401da5-401da7 79->84 82 401d8a-401d90 80->82 83 401d9c-401d9e 80->83 82->79 86 401d92-401d9a 82->86 83->84 84->25 87 401dad-401dbd Module32Next 84->87 89 4021c6-4021ca 85->89 90 40246a-402470 85->90 86->77 86->83 87->7 87->55 89->90 91 4021d0-402217 call 4018f0 89->91 92 402472-402475 90->92 93 40247a-402480 90->93 98 40221d-40223d 91->98 99 40244f-40245f 91->99 92->93 93->5 95 402482-402487 93->95 95->5 98->99 103 402243-402251 98->103 99->90 100 402461-402467 call 40b6b5 99->100 100->90 103->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 103->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 154 40234e call 78d01c 122->154 155 40234e call 78d01d 122->155 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 132 402377-402379 131->132 133 40237b 131->133 135 40237d-40238f call 4018d0 132->135 133->135 152 402390 call 78d01c 135->152 153 402390 call 78d01d 135->153 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 VariantClear * 2 call 4019a0 142->144 143->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->138 153->138 154->127 155->127
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • OleInitialize.OLE32(00000000), ref: 004019FD
                                                                                                                                                                                                                                                      • _getenv.LIBCMT ref: 00401ABA
                                                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                                                                                                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                                                                                                                                                                                                                                      • Module32First.KERNEL32 ref: 00401C48
                                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
                                                                                                                                                                                                                                                      • Module32Next.KERNEL32 ref: 00401D02
                                                                                                                                                                                                                                                      • Module32Next.KERNEL32 ref: 00401DB6
                                                                                                                                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401DC4
                                                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                                                                                                                                                                                                                                      • FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
                                                                                                                                                                                                                                                      • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                                                                                                                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 00401EA7
                                                                                                                                                                                                                                                      • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                                                                                                                                                                                                                                      • _malloc.LIBCMT ref: 00401EBA
                                                                                                                                                                                                                                                      • _memset.LIBCMT ref: 00401EDD
                                                                                                                                                                                                                                                      • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
                                                                                                                                                                                                                                                      • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                                                                                                                                                                                                                      • API String ID: 2366190142-2962942730
                                                                                                                                                                                                                                                      • Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                                                                                                                                                                                      • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580A1E8 Relevance: 1.1, Instructions: 1058COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: d2d64cc091f9f88702326049da8d4efc4511194764e9116301f78feca7b58848
                                                                                                                                                                                                                                                      • Instruction ID: 816827f5b5e735c88291b2b28de73deea6b1b58b64961a41aed531809875587d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d2d64cc091f9f88702326049da8d4efc4511194764e9116301f78feca7b58848
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7926A34B002058FCB54DF64C894A6EB7B2FF88314F158968EA16DB3A5DB74ED46CB90
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05808180 Relevance: .8, Instructions: 752COMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 1415 5808180-58081ab 1640 58081ae call 5808180 1415->1640 1641 58081ae call 58087a9 1415->1641 1642 58081ae call 580810f 1415->1642 1416 58081b4-58081bc 1417 58081c5-58081d0 1416->1417 1418 58081be-58081c0 1416->1418 1421 5808af1-5808ba1 1417->1421 1422 58081d6-58081e7 1417->1422 1419 5808ae7-5808aee 1418->1419 1460 5808ba8-5808c66 1421->1460 1425 58081e9-58081f8 1422->1425 1426 58081fa 1422->1426 1428 58081fc-580822d 1425->1428 1426->1428 1434 580824b-5808276 1428->1434 1435 580822f-5808243 call 58070b0 1428->1435 1441 5808294-58082b6 1434->1441 1442 5808278-580828c call 58070b0 1434->1442 1435->1434 1449 58082bc-58082e2 1441->1449 1450 580850d-5808517 1441->1450 1442->1441 1464 58082e8-58082f5 1449->1464 1465 58084fb-5808507 1449->1465 1451 5808535-580854d 1450->1451 1452 5808519-580852d call 58070b0 1450->1452 1461 5808555-58085b2 1451->1461 1452->1451 1481 5808c6d-5808d24 1460->1481 1493 58085b4-58085bd 1461->1493 1494 58085c5-580862a call 5806078 1461->1494 1464->1460 1471 58082fb-58082ff 1464->1471 1465->1449 1465->1450 1474 5808301-580830d 1471->1474 1475 5808313-5808319 1471->1475 1474->1475 1474->1481 1476 580831b-5808327 1475->1476 1477 580832d-5808378 1475->1477 1476->1477 1484 5808d2b-5808de2 1476->1484 1503 58083f1-58083f5 1477->1503 1504 580837a-580839c 1477->1504 1481->1484 1542 5808de9-5808f93 1484->1542 1493->1494 1535 580863c-5808648 1494->1535 1536 580862c-5808636 1494->1536 1507 58083f7-5808419 1503->1507 1508 580846e-58084a6 1503->1508 1527 58083c5-58083e2 1504->1527 1528 580839e-58083c3 1504->1528 1537 5808442-580845f 1507->1537 1538 580841b-5808440 1507->1538 1561 58084a8-58084cd 1508->1561 1562 58084cf-58084ec 1508->1562 1569 58083ea-58083ec 1527->1569 1528->1569 1543 5808709-5808752 call 5806078 1535->1543 1544 580864e-5808657 1535->1544 1536->1535 1536->1542 1584 5808467-5808469 1537->1584 1538->1584 1549 5808f9a-5808fbd call 5805f40 1542->1549 1609 5808754-580877a 1543->1609 1610 580877c-5808798 1543->1610 1544->1549 1550 580865d-5808663 1544->1550 1577 5808fc2-5808fc4 1549->1577 1556 5808665-580866b 1550->1556 1557 580867b-58086ae 1550->1557 1567 580866d 1556->1567 1568 580866f-5808679 1556->1568 1578 58086b0-58086c4 call 58070b0 1557->1578 1579 58086cc-5808703 1557->1579 1605 58084f4-58084f6 1561->1605 1562->1605 1567->1557 1568->1557 1569->1419 1585 5808fc6-5808fc8 1577->1585 1586 5808fc9-5808fd8 1577->1586 1578->1579 1579->1543 1579->1544 1584->1419 1600 5808fe5-5808fe9 1586->1600 1601 5808fda-5808fe4 1586->1601 1605->1419 1609->1610 1613 58087a6 1610->1613 1614 580879a 1610->1614 1613->1419 1614->1613 1640->1416 1641->1416 1642->1416
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: aadfb835ddcd2f8eb3c27c439284827d52b1759761fe6a21b9416cc1e8956736
                                                                                                                                                                                                                                                      • Instruction ID: 5a20603ccdc8142d826156b755d668548128300cf040744311302da8c74b25bc
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aadfb835ddcd2f8eb3c27c439284827d52b1759761fe6a21b9416cc1e8956736
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3E62ED74B002188FCB54DF64D999B6DBBB2EF88304F1084A9E90AAB395DF349D81CF51
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05807448 Relevance: .4, Instructions: 369COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 9d0d0bae9bbb3a068cf25cf407bad5ee4e6411eff8aba05eb645b964922f5dff
                                                                                                                                                                                                                                                      • Instruction ID: 65f021e89ec61730378162a7bb77ab84403290e51f5cc708d5a5132856dce7bf
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9d0d0bae9bbb3a068cf25cf407bad5ee4e6411eff8aba05eb645b964922f5dff
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7FD1A134B002158FC754DB79C869A6E7BF6EF88244F158069EA06DB395EF34ED02CB91
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580BC88 Relevance: .3, Instructions: 340COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 69518b04135f175e22e2d98c0f1aec4c73c0ca741742dd6802b9e0e78716d7a9
                                                                                                                                                                                                                                                      • Instruction ID: c1848b407c13834d5362ddb1e530a0521354aee2f9122fabb16cd4d3fe6533ab
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 69518b04135f175e22e2d98c0f1aec4c73c0ca741742dd6802b9e0e78716d7a9
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 81D14634A002058FCB58DF69D894AAEBBF6FF88315B548468ED46DB391DB34ED42CB50
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580C1D0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 32b525ed6bcdd6129ef9dd680a896ea9a8584f857f8247aae2cffb112e67d4fe
                                                                                                                                                                                                                                                      • Instruction ID: ebbd49c425ef58537fd24a35635ad73103c347ffd8141b57669a673d9e33155d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 32b525ed6bcdd6129ef9dd680a896ea9a8584f857f8247aae2cffb112e67d4fe
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC918C35A042099FDB449FB4CC54AAEBBB6FF89244F118169EA05DB3A5DF35DC02CB90
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 156 4018f0-4018fa 157 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 156->157 158 4018fc-401900 156->158 161 401940-401949 GetLastError 157->161 162 401996-40199a 157->162 163 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 161->163 164 40198d-40198f 161->164 163->164 164->162 166 401991 call 401030 164->166 166->162
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(?), ref: 00401906
                                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00401940
                                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3322701435-0
                                                                                                                                                                                                                                                      • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                                                                                                                                      • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 169 40af66-40af6e 170 40af7d-40af88 call 40b84d 169->170 173 40af70-40af7b call 40d2e3 170->173 174 40af8a-40af8b 170->174 173->170 177 40af8c-40af98 173->177 178 40afb3-40afca call 40af49 call 40cd39 177->178 179 40af9a-40afb2 call 40aefc call 40d2bd 177->179 179->178
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • _malloc.LIBCMT ref: 0040AF80
                                                                                                                                                                                                                                                        • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                                                                                                                                        • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                                                                                                                                        • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                                                                                                                                      • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                                                                                                                                                                                                                                        • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                                                                                                                                                                                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                                                                                                                                                                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1411284514-0
                                                                                                                                                                                                                                                      • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                                                                                                                                                                                                                      • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 008085F6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 188 8085f6-80860f 189 808611-808613 188->189 190 808615 189->190 191 80861a-808626 CreateToolhelp32Snapshot 189->191 190->191 192 808636-808643 Module32First 191->192 193 808628-80862e 191->193 194 808645-808646 call 8082b5 192->194 195 80864c-808654 192->195 193->192 198 808630-808634 193->198 199 80864b 194->199 198->189 198->192 199->195
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0080861E
                                                                                                                                                                                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 0080863E
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.314687772.0000000000807000.00000040.00000020.00020000.00000000.sdmp, Offset: 00807000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_807000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3833638111-0
                                                                                                                                                                                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                                      • Instruction ID: ec441131bf58278cec05ddcf8a0f5cd7b42c7a13276d090bcf60a6f589487014
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DAF0C232100710AFD7603AF89C8DB6E76E8FF69321F100128E692D10C0DF71EC854A61
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 201 40e7ee-40e7f6 call 40e7c3 203 40e7fb-40e7ff ExitProcess 201->203
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • ___crtCorExitProcess.LIBCMT ref: 0040E7F6
                                                                                                                                                                                                                                                        • Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
                                                                                                                                                                                                                                                        • Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
                                                                                                                                                                                                                                                        • Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA
                                                                                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 0040E7FF
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2427264223-0
                                                                                                                                                                                                                                                      • Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
                                                                                                                                                                                                                                                      • Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05800CF8 Relevance: 2.0, Instructions: 1973COMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 204 5800cf8-5802cb2 call 5800bd8 call 5803c80 593 5802cb8-5802cc0 204->593 595 5802cc2-5802cd9 593->595 596 5802d2a-5802d2d 593->596 599 5802cfa 595->599 600 5802cdb-5802ce4 595->600 601 5802cfd-5802d0d 599->601 602 5802ce6-5802ce9 600->602 603 5802ceb-5802cee 600->603 606 5802d1b 601->606 607 5802d0f-5802d19 601->607 604 5802cf8 602->604 603->604 604->601 608 5802d22-5802d25 606->608 607->608 608->596
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 05f7f5f1fbda89dc1c4d51f474754d4ea7609d47f3c3a61ce9c5aed7dbde1c19
                                                                                                                                                                                                                                                      • Instruction ID: 8ee6371c8b02c47793a0cfd7f5a6557082b82d50f4587e12d4f794206b52c5b3
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 05f7f5f1fbda89dc1c4d51f474754d4ea7609d47f3c3a61ce9c5aed7dbde1c19
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D6131C3CA01244EFCB1AAF30D451999BB32FF4934AB20C56E8C5527B69DB7F9852DE01
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05800CE8 Relevance: 2.0, Instructions: 1971COMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 610 5800ce8-5802c98 995 5802c9f-5802cb2 call 5800bd8 call 5803c80 610->995 999 5802cb8-5802cc0 995->999 1001 5802cc2-5802cd9 999->1001 1002 5802d2a-5802d2d 999->1002 1005 5802cfa 1001->1005 1006 5802cdb-5802ce4 1001->1006 1007 5802cfd-5802d0d 1005->1007 1008 5802ce6-5802ce9 1006->1008 1009 5802ceb-5802cee 1006->1009 1012 5802d1b 1007->1012 1013 5802d0f-5802d19 1007->1013 1010 5802cf8 1008->1010 1009->1010 1010->1007 1014 5802d22-5802d25 1012->1014 1013->1014 1014->1002
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: ebae4b3dc9132570bace3b4b169190bce93812f74fa28d121b784a3e16c4016a
                                                                                                                                                                                                                                                      • Instruction ID: 0dcac1fee6cfb1aa02f17e70a7c1b6c5af314b1a029f90f19dc74df81b4e5dd6
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ebae4b3dc9132570bace3b4b169190bce93812f74fa28d121b784a3e16c4016a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FE131C3CA01244EFCB1AAF30D451999BB32FF4934AB20C56E8C5527B69DB7F9852DE01
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 02238E30 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 1016 2238e30-2238eb1 VirtualProtect 1019 2238eb3-2238eb9 1016->1019 1020 2238eba-2238edf 1016->1020 1019->1020
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02238EA4
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.315488054.0000000002230000.00000040.00000800.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_2230000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                                                                                                                                      • Opcode ID: a92d04c0b8b040f22cfcb1259ed9b4953148468682de9befa63cde34e7b69f76
                                                                                                                                                                                                                                                      • Instruction ID: dd0686545a67154de8737f2c37ded55aa78e999947ca73830aea61b405280e69
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a92d04c0b8b040f22cfcb1259ed9b4953148468682de9befa63cde34e7b69f76
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE11F7B1D042499FCB10CFAAC884BDFFBF5AF48214F10842AE529A7250C774A944CFA1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 02239000 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 1024 2239000-223906f FindCloseChangeNotification 1027 2239071-2239077 1024->1027 1028 2239078-223909d 1024->1028 1027->1028
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • FindCloseChangeNotification.KERNELBASE ref: 02239062
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.315488054.0000000002230000.00000040.00000800.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_2230000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ChangeCloseFindNotification
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2591292051-0
                                                                                                                                                                                                                                                      • Opcode ID: bef2b7eda77e168790614a04d89df05aebb944cf6c5469cdfce1c31427374dca
                                                                                                                                                                                                                                                      • Instruction ID: c93a33738bb29febefce09a8415388a580242af76a60049cc88eccd2c853ac5c
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bef2b7eda77e168790614a04d89df05aebb944cf6c5469cdfce1c31427374dca
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 42113AB19002488FCB10CFAAC4447EFFBF4EB89214F108429C525A7240C775A944CFA1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 1032 40d534-40d556 HeapCreate 1033 40d558-40d559 1032->1033 1034 40d55a-40d563 1032->1034
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: CreateHeap
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 10892065-0
                                                                                                                                                                                                                                                      • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                                                                                                                                      • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 1035 40ea0a-40ea16 call 40e8de 1037 40ea1b-40ea1f 1035->1037
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • _doexit.LIBCMT ref: 0040EA16
                                                                                                                                                                                                                                                        • Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
                                                                                                                                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
                                                                                                                                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
                                                                                                                                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
                                                                                                                                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
                                                                                                                                                                                                                                                        • Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
                                                                                                                                                                                                                                                        • Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
                                                                                                                                                                                                                                                        • Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: __decode_pointer$__initterm$__lock_doexit
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 1597249276-0
                                                                                                                                                                                                                                                      • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                                                                                                                                                                                                                      • Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 008082B5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                                      control_flow_graph 1090 8082b5-8082ef call 8085c8 1093 8082f1-808324 VirtualAlloc call 808342 1090->1093 1094 80833d 1090->1094 1096 808329-80833b 1093->1096 1094->1094 1096->1094
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00808306
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.314687772.0000000000807000.00000040.00000020.00020000.00000000.sdmp, Offset: 00807000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_807000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                                      • Instruction ID: c24f24f0587f89d2ba261659776f22abebe53efdf8f2dec60213fb193499df33
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 87113F79A00208EFDB01DF98C985E99BBF5EF08750F058094F9489B361D771EA90DF80
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05806BB8 Relevance: .3, Instructions: 346COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 2da66f9c56aff926d2786a3e642bf09c16e4a6276d808b6c6bdf8b0f47a9e1b3
                                                                                                                                                                                                                                                      • Instruction ID: 406bf7d4812e4ae4ef84050e08598054b117ba40494fe3ab83209c8f5bee3f8b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2da66f9c56aff926d2786a3e642bf09c16e4a6276d808b6c6bdf8b0f47a9e1b3
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8DE14B34A00205DFCB54DF65D995A9EBBB2FF88314F158828E906EB3A0DB34ED41CB94
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 058087A9 Relevance: .3, Instructions: 298COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: c36a8c574e1f96934c75a80e2842ba4e514defe252467be1be49bb9090623231
                                                                                                                                                                                                                                                      • Instruction ID: 6d0d0b266d787959538b9b64d2b802095ae0fc33d23d2d407017b2cadb8ec795
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c36a8c574e1f96934c75a80e2842ba4e514defe252467be1be49bb9090623231
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F9D1F734B102188FDB64DF64D859BAD7BB6BB88315F1084A9E90AEB391DF319D81CF50
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580D333 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: eb52f42cd154a3b137affa03cfcb39bde8bbde16a378bab571ae7586bba99bd4
                                                                                                                                                                                                                                                      • Instruction ID: d08c250828e1c7d481ba38d6df812c01e321ded3f3e34957d9e7385f47d5a236
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eb52f42cd154a3b137affa03cfcb39bde8bbde16a378bab571ae7586bba99bd4
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3CA1BE347002058FC768EB75D895A2AB7E7EF84218F058879DA06CB784DF79EC068791
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05807898 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: dba75e31364b98291bed369aa27ce78699ed07bcfd2dd9e2fe3c55e703b8b2a1
                                                                                                                                                                                                                                                      • Instruction ID: 11af8b62553a33d6ce9a62239536fe7ca15eb5b8288738f8b111ae5efddb27bd
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dba75e31364b98291bed369aa27ce78699ed07bcfd2dd9e2fe3c55e703b8b2a1
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7A1BF347042448FCB54DF78C899A6E7BB6EF89204F1580A9E906CB3A2DB34EC05CB91
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05805C60 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 2dd47e458f7e5cc4ff27df4532bf0801d5b7109cc1a740608090ebedfdfab4a2
                                                                                                                                                                                                                                                      • Instruction ID: d11dce24a79427f5edcb5251613e039b39ec5c0b167a9532c0ab6b7d174bdaaf
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2dd47e458f7e5cc4ff27df4532bf0801d5b7109cc1a740608090ebedfdfab4a2
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D717074E002098FDB54DFA9C8546AEB7F3AF89304F20852AE805EB390DB74AD46CF51
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05806B7F Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 80af9283165199e76186114b13c0caf9a51def2d940c626717ba35155eb16418
                                                                                                                                                                                                                                                      • Instruction ID: dde8f647ece5bc4c94fdfb09bff05a6bc4df48e4f1dc71b362c36f8f29753766
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 80af9283165199e76186114b13c0caf9a51def2d940c626717ba35155eb16418
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE811634A00205CFCB44DF65D999A9EBBB2FF88311B158558E806EB3A0DB34ED56CF94
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05807B68 Relevance: .2, Instructions: 177COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: baffc2248692232a961d03b63ff34073ff47038f3e7af0d6cde53e59b92bbf9d
                                                                                                                                                                                                                                                      • Instruction ID: dec42885f20cc8a9998207e12214a22505aad0e54e8085d3f1036f84be4d9923
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: baffc2248692232a961d03b63ff34073ff47038f3e7af0d6cde53e59b92bbf9d
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 78616D743402148FD754DF78C898A2AB7F6FF89614B1644A9EA06CB3B2DB74EC06CB51
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580DC40 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 3cef990caaab4e608c1fc02aa3832bfbdcea6a769bc6f8b50f04c0f68278ac0e
                                                                                                                                                                                                                                                      • Instruction ID: 552bad477eb8c54cda1318893f0f51a1f041c1ac8dbd8afdb6ad42de3896827f
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3cef990caaab4e608c1fc02aa3832bfbdcea6a769bc6f8b50f04c0f68278ac0e
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D251C135B042059BDB14EF69D885BAE7BA3EFC0224F04C529E906CB381DF75AD068BD1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580F198 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 9313554cdb50c660040f6b8df5e39b47385d6c9ebf7ab40fb787c34984cd377b
                                                                                                                                                                                                                                                      • Instruction ID: 6bc723da5b32e2724916b97d081751a400ef7933bfbbc40e762c0b93e17b5536
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9313554cdb50c660040f6b8df5e39b47385d6c9ebf7ab40fb787c34984cd377b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A514F38B042488FD7A4DB69D458AAE7BF2BF89314F15A068EA06DB391DF74DC41CB50
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05805A48 Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 2033da470dbbb657eb6f28ae9b222e6afebd1ce1a9c70ef1fff81f1460d85b17
                                                                                                                                                                                                                                                      • Instruction ID: 62f0a0eccb14ea4272adc8c7e4cc12e3396ec596fd5a727f9ccabb41c4aaac4f
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2033da470dbbb657eb6f28ae9b222e6afebd1ce1a9c70ef1fff81f1460d85b17
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E051EB74A11218AFDB14DFA4E855AADBBB6FF88314F108419E902E73A0DF74AD41CF64
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05806F79 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: c0b4ff00072070f3c1d6e7989759e32183e0c26be98d1520125529ba3fcbb303
                                                                                                                                                                                                                                                      • Instruction ID: ec230dde68493842637411a0a0d35eced1f92202e061ee98da2ca16a772710a7
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0b4ff00072070f3c1d6e7989759e32183e0c26be98d1520125529ba3fcbb303
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4A51D634A00209DFCB54DF95D994AAEBBB2FF88310F158454E906AB3A1DB35EC52CF90
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05805F40 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: aec4c27b904d55857eb57b4c95ce898df044c6f84df13547b3fa6a8f8cb7b7bb
                                                                                                                                                                                                                                                      • Instruction ID: 092f90105dd082572ce5a74ce8ca9711102161e5324c59c511e4b8d5828549a8
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aec4c27b904d55857eb57b4c95ce898df044c6f84df13547b3fa6a8f8cb7b7bb
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2741C170B042088FC754DB69D86477EBBF6EF85314F14806AE91ADB391DB399D01CB91
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580F15F Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: a14468824e130baf548b90903173375412e84cc016afb3456a8da240bec30f4d
                                                                                                                                                                                                                                                      • Instruction ID: c8afe092f3c05da1f8339f9b81902a04b0200e5b343d80a89dfae48446786a96
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a14468824e130baf548b90903173375412e84cc016afb3456a8da240bec30f4d
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C541C335A082448FD755CB68D894BA97FF2FF49314F0990A9E902EB3A1CB349C41CF50
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580F7BF Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 6719ab8f154a3f40f7409cc50c2bba2c482cbc24a21c4d8c0cd95cf76ee69006
                                                                                                                                                                                                                                                      • Instruction ID: 2e1aad037c442d2cac3b382dfb0c9a88ccd339ec00e20a9e03dccba77e32c60f
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6719ab8f154a3f40f7409cc50c2bba2c482cbc24a21c4d8c0cd95cf76ee69006
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 14413738A10108DFDB44EFA4D959A9DBBB2FF48305F119068E606AB3B5DB34AD46CB40
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05803163 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 3c99ada69fc5feb4335fbc21bc139f64656a0436eccc61cf18d7953ad908b80c
                                                                                                                                                                                                                                                      • Instruction ID: 9c9b051baa72a3637bd55dc8e37739d8bb4c6a21c994a7623098d3efb111e363
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3c99ada69fc5feb4335fbc21bc139f64656a0436eccc61cf18d7953ad908b80c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2131F234B043089FDB05EBB4D81976E7BB2AF85705F008869EA01EB3D5DF789E058B91
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05800558 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: d8975683babf101aedfd179d1c9e9746237e75baf7c04398e8d005f660ce8d65
                                                                                                                                                                                                                                                      • Instruction ID: 95c4d4169d2696467fb9f77b2ac0ef9be1b74feba2dddb5aae907ccf112f89af
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d8975683babf101aedfd179d1c9e9746237e75baf7c04398e8d005f660ce8d65
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FC314834714208CFD758DF69D4A9B6E7BB2AF88714F145468E906EB3A0DF36AC41CB50
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580A1D8 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 3f4090667acf40ac40346e59a5d5837e28b163d4db0aaf4476684f33f6487e18
                                                                                                                                                                                                                                                      • Instruction ID: 07791ae054f5876224396b453e08629f48b6ac74a8389485c9ff103004776c3d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3f4090667acf40ac40346e59a5d5837e28b163d4db0aaf4476684f33f6487e18
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA319A756007059FCB04CF64C984AA9B7B2FF88320F119968EE16DB3A1DB31EC81CB90
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 058038D8 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 4119a3870714f85634859f691ac8fee8cfe4e3b287efe877e2b841d0dabe706f
                                                                                                                                                                                                                                                      • Instruction ID: dbf2cc7062f2bd7f303017153ab819ab264f67bc10a75e57fc72f895b8ea1cd8
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4119a3870714f85634859f691ac8fee8cfe4e3b287efe877e2b841d0dabe706f
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 38317732D10B06CACB10EFA8C8102D9B3B1BF99324F24CB26E55977641EB70B5E5CB84
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 058038E8 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 4f6d728ce0ef52f1ddeb448c593f00ae55372c69abbae60d61b34bbe214ba7cd
                                                                                                                                                                                                                                                      • Instruction ID: a9ddd5862059459ffb143748b57a30e85d05e10c0098769e7e951a5655d67544
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f6d728ce0ef52f1ddeb448c593f00ae55372c69abbae60d61b34bbe214ba7cd
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 05317A31D10B06DACB10EFA9C8102D9F7B1BF99324F24CA26E54977641EB70B5E5CB94
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05800552 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: ba01c8c64880216008cdf6f0654b9bab470e43989d9fdac077fcd29413a89885
                                                                                                                                                                                                                                                      • Instruction ID: 029fdda515a98cfcf34e4efb48db5b666224fb2dcd0165295e8655664fe8c1fe
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba01c8c64880216008cdf6f0654b9bab470e43989d9fdac077fcd29413a89885
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 83311874704208CFD754DF69D9A8BAA7BB6BF88700F145068E906EB3A0DF76AD41CB50
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0078D8E0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.314301448.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_78d000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 1f8a812e36f8da0b0e15a5b6efba0d35e78e9646d0cef5188cc9ee3e76d083e2
                                                                                                                                                                                                                                                      • Instruction ID: 71ce7c777b4ffed23bb762d32fbec108669e5c28aad0deac29c95c9113e787d1
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1f8a812e36f8da0b0e15a5b6efba0d35e78e9646d0cef5188cc9ee3e76d083e2
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 49212BB1544244EFCF15EF50D9C0F26BB65FB88314F24C569E9494B286C33AEC12CBA1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05800BD8 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 046c05c0d91402792e69a3942517ce037e91ad4836e642f75be096a6acac4365
                                                                                                                                                                                                                                                      • Instruction ID: 66973a5d2fc468db462d7ae9428fef14d7e2ed48a350ce926813a1fc09bf3c95
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 046c05c0d91402792e69a3942517ce037e91ad4836e642f75be096a6acac4365
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4C319531E0070ACBCB11AF79D8191AEB7B5FF85310B10862ADD19A7640EF74A995CB94
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05803C80 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 8493ba7f1bb5fe88010ca3745d69688be8e0cad4c653647d6666ad9300ebfa72
                                                                                                                                                                                                                                                      • Instruction ID: ecacd69b7d67541745a534fb60b6c5b411de976c0dbf19347322788f2876dfaa
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8493ba7f1bb5fe88010ca3745d69688be8e0cad4c653647d6666ad9300ebfa72
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A621A5347183888BC759AB31A93E3793F7AAB42605B04286DFD47C62C1EF389C42C741
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0078D4EC Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.314301448.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_78d000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 494f3b6532481bc800e8c411f2ac7872f0f494eda2ce29a09203a79bf5e76beb
                                                                                                                                                                                                                                                      • Instruction ID: 3173137882e209d20453c639a55f0e449f8cd1cebdf3e2baffd5fcc09ea14521
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 494f3b6532481bc800e8c411f2ac7872f0f494eda2ce29a09203a79bf5e76beb
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9B213DB1584204DFCB24EF10D5C0B26BF61FB94328F20C56AD9054B286C33ADD66C7A1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0078D5D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.314301448.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_78d000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 1315aacae3be345373a11a4f9271aa8725e3584ad8519426350217dc3a2682dd
                                                                                                                                                                                                                                                      • Instruction ID: c8d1bb8a7bf7cc25e2834d8ccfa256956d7497d4704cec02d50904202a3c18f3
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1315aacae3be345373a11a4f9271aa8725e3584ad8519426350217dc3a2682dd
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C0213AB1684208DFCB20EF50D9C0F16BF65FB94364F248569D9094B286D33ADC56CBA2
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580D750 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 97d386037ba4308d5d8e49190d75aa2a0bf21f86a1810dab22d979d04a867f0a
                                                                                                                                                                                                                                                      • Instruction ID: 218c36e0ef0ca77269222172584579f345631cc6e9973ce5d3a95b798024f9c7
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 97d386037ba4308d5d8e49190d75aa2a0bf21f86a1810dab22d979d04a867f0a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6E21CF34B043489FC715EB78D869A6D7BB2AF46300F5084AAE406DB391DF38DD06CB51
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580E5A0 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 90fcf6901d2a9f8fd385bf36a9e2692da2757de48ff2b748cf369eb06f692c7d
                                                                                                                                                                                                                                                      • Instruction ID: b306585aca75800e432ac6b60bbfa02c1c65a2f0218a05746b68b601bf0dcb31
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 90fcf6901d2a9f8fd385bf36a9e2692da2757de48ff2b748cf369eb06f692c7d
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E11E4313082509FC710DB28D999A1ABBA6BF85224F05C999E549CF692DB70FC02CBD1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05805510 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: b5138a4ff7b64addb741214e4b2a630a73a99891a4b2f57461ebe78134ff4321
                                                                                                                                                                                                                                                      • Instruction ID: 14e667e603fb209e9e9cf05f645f6a546683261a3df0fb626839d99c3fd174a2
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b5138a4ff7b64addb741214e4b2a630a73a99891a4b2f57461ebe78134ff4321
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7321C3353107008BCB109B78D85972A7BA7EBC5326F09892DEA46CB685DEB4EC068791
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 058006B9 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 36b997cda3d77cada7513fe39edce43d9b7e6b3ea36ab2fc4b01e8125e0ad08a
                                                                                                                                                                                                                                                      • Instruction ID: cc3d47db0dd5e025f726e933b46885da7e88c4181d47bc35fe3e45bbe5d8062c
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 36b997cda3d77cada7513fe39edce43d9b7e6b3ea36ab2fc4b01e8125e0ad08a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B21123383543188BC7586B75642D63E39979BC52497455839EA0ACB7C1EF78CC438381
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580810F Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 7d5354d8be2ec8b2438dd2fb91022d83efe7daf98d199ba869faea3d59eb7dfe
                                                                                                                                                                                                                                                      • Instruction ID: 8b99e49d162511dd14d9aa2e06277bb0274456addf6768d72abfb9611830a503
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7d5354d8be2ec8b2438dd2fb91022d83efe7daf98d199ba869faea3d59eb7dfe
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA1129B3C0C2914BC702DB38FC60BC57FA19F16218F0508FBC586DA652FA658A86CB52
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05804158 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: ec6c700c8d352a1c5de23f1cad2b5556e45833347a5f59f6491e15fe09737651
                                                                                                                                                                                                                                                      • Instruction ID: 38e943c4a51b9ebcbfe37dea87bf8d6d6f46aedbf5a9c1bf5c40e10c980b2d83
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec6c700c8d352a1c5de23f1cad2b5556e45833347a5f59f6491e15fe09737651
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6E11D630B007069BC700EF28D851A5EB3B6FF84214F008D28D5059B794DB70BE5A47D0
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580F450 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: a9bf6f42d624b6d36725572202cb4bb73f21c8adfae44a815e4ec1d34369f9a3
                                                                                                                                                                                                                                                      • Instruction ID: 61ef90117dc947850e6b07dcccd580da20104385fa585fdb27fda5e2ffcfa0a8
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a9bf6f42d624b6d36725572202cb4bb73f21c8adfae44a815e4ec1d34369f9a3
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 40119631A046588FCB24DF68D8596EEBBF1BF89304F00C56AD946B7290DF745948CBA1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0078D8DB Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.314301448.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_78d000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: d7687f293196414294b331d06230a59d2b2bed7cc52525ee688c30c8ccafa65c
                                                                                                                                                                                                                                                      • Instruction ID: 3c7d05b00bf6e736f12798af6ecade8e1ed7ed27a0ffda792bb2d1bd4aefaba6
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d7687f293196414294b331d06230a59d2b2bed7cc52525ee688c30c8ccafa65c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6221A276544280DFCF16DF10D9C4B16BF72FB88314F2486A9D9484B256C33AE856CB92
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580F6F4 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 41d772b753f0257f85e854c4c2a6027cf2c33d0e7db49e20c7c5c19a9c1d6921
                                                                                                                                                                                                                                                      • Instruction ID: 5ed8786e0810ac4012514983f0e174cf99d93520ee289acb902202ddae708536
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 41d772b753f0257f85e854c4c2a6027cf2c33d0e7db49e20c7c5c19a9c1d6921
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8521C338E041488FCB25CFA4C559AADBFF1AF48304F248099D901EB3A1CB749D02CB41
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0078D4E7 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.314301448.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_78d000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 558f4158061b4ca12d4bdfd235155c100418661487f213ec57ea451d02d398a7
                                                                                                                                                                                                                                                      • Instruction ID: f529e46439ff23294dadf231a6e1227815eae7e093f64a715509e9c048b14551
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 558f4158061b4ca12d4bdfd235155c100418661487f213ec57ea451d02d398a7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2211D376444280DFCB11DF10D5C4B16FF72FB94324F24C6AAD8450B256C33AD966CBA2
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0078D5D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.314301448.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_78d000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 558f4158061b4ca12d4bdfd235155c100418661487f213ec57ea451d02d398a7
                                                                                                                                                                                                                                                      • Instruction ID: 5ca33f7c2680110c337a0aafd24f3e7e13b652c473bf8cd5796b80e772806e5a
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 558f4158061b4ca12d4bdfd235155c100418661487f213ec57ea451d02d398a7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C011D376544284DFCB11DF14D5C4B16BF72FB94324F2486A9DC090B256C33AD85ACBA2
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580EC50 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: c3947ddef135115ddd6db53252ac993eddb8f29f1ecbfef52fe56b86e71d0342
                                                                                                                                                                                                                                                      • Instruction ID: 554b9f16d25e0511abe8de5ac093e5a6ba20293520ea06085c88bec35c89f6fe
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c3947ddef135115ddd6db53252ac993eddb8f29f1ecbfef52fe56b86e71d0342
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8110234B44208AFDB04DBB8D86AB6E7FE6EB45214F1040AAE945DB3C0DF319D028780
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05805530 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: c5b966406800241e416fbeebdd8b82737b09a00bed8865d5d26c0f58d18a0955
                                                                                                                                                                                                                                                      • Instruction ID: aca0c39f4b75226eda452444bf9b56eb8a3391e6cfef6f95a5a2dd01996c075c
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5b966406800241e416fbeebdd8b82737b09a00bed8865d5d26c0f58d18a0955
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E40161303107049BCB14AB79D89962A7BABFBC4316F504C2DEA46C7781CFB5EC068754
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0078D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.314301448.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_78d000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 7a82d348544692977c6c76667eed84b953d8e998d85174669291fbf1dd086fda
                                                                                                                                                                                                                                                      • Instruction ID: 68e41ef98937d3f6ed2855e5bc03ab3755906b0b38474f4596c4e0caf77cfe06
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7a82d348544692977c6c76667eed84b953d8e998d85174669291fbf1dd086fda
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1D01F7B04483449AD7209A26DC84B66BB98EF41328F18C459ED054B2C6C3BD9D45CBB1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05804149 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 27a5aa21ebe68d7bc5815711dde4df5d8eb81a5894d06f78ea1e6befba5b5137
                                                                                                                                                                                                                                                      • Instruction ID: 51ebc72c1439684ffd005405669eb336b7521ee7f72703c830f8407c1b9bf746
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 27a5aa21ebe68d7bc5815711dde4df5d8eb81a5894d06f78ea1e6befba5b5137
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1012B30A007059BCB10EF24DC55B5E7BB6FB80218F004929E60997295DF74AA5987D0
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580DE37 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: d836c32eb0cac8a5917ed046c76e8512deaef66a19184a1b8e1b7f0217af3fae
                                                                                                                                                                                                                                                      • Instruction ID: f377ab2e3e29d66bfcb3280ff4f32f3a49b33a53b3fece7d062b399fc7ad2f72
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d836c32eb0cac8a5917ed046c76e8512deaef66a19184a1b8e1b7f0217af3fae
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13F078313083004FE36466E8AC193B63F96EB91210F00502AED4BCB6C4CF784C02C7E1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580D270 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 4f6ec79a350d4c8071d05894bb061b4ae9a5ea26a551013c27410d3ad6ba6879
                                                                                                                                                                                                                                                      • Instruction ID: fda355a06a5f9129a405671e5d61e380f221ee9114c4dbe8c32f3cb7ef861103
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f6ec79a350d4c8071d05894bb061b4ae9a5ea26a551013c27410d3ad6ba6879
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3AF028313042409BC710F76CF8898ADBF6BEBC626935085B9E50DDB549DF286D0B83D2
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580DDC8 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: cad7d56fe3841eb9f3d909f4243fc72711f56833418743c24502cb967d084156
                                                                                                                                                                                                                                                      • Instruction ID: dd43ff3f6aa3267afe0ebac674de253ada265b6948b24c2cf70e2852b9855156
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cad7d56fe3841eb9f3d909f4243fc72711f56833418743c24502cb967d084156
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 75F0AF367082009BCB249F65E84AA7E7BABEFC0664F048429F906C7280DF759C0697A0
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05804CA3 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: f28db67e1677c2601eafd5f37969be305153c3d4308fc92f841ca9c65c6066f6
                                                                                                                                                                                                                                                      • Instruction ID: dd4c52b252d08ad7f2893d7e43e3dfecbad2aee33f519cee2d761ea62b2c095b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f28db67e1677c2601eafd5f37969be305153c3d4308fc92f841ca9c65c6066f6
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EF018B35300605CFC754CF28D544A9AB3E2FF84225B16D8A9EA05CBB65DBB0FD028B90
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0078D01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.314301448.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_78d000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 799c1b70fbc29fcd3bb0956c0ba41124cb8ea3b7bfae6145bd4a3b534abd18bf
                                                                                                                                                                                                                                                      • Instruction ID: 919d317e686d16031eb5434465ad3deb54774cf9cc06bc12c1749f8ec64cd8cf
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 799c1b70fbc29fcd3bb0956c0ba41124cb8ea3b7bfae6145bd4a3b534abd18bf
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A0F062B1444284AEE7208E16CCC4B62FF98EB51724F18C56AED585B286C3799C45CBB1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05804019 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: ea8e0a3db1e5feeff9dda1c3b09dc895011bc7d04ad6211a2803b2d894b2521a
                                                                                                                                                                                                                                                      • Instruction ID: 2986cbf8261b76c7e7296c6e91f61e6fc150e1126e4df57862d3439e770bd1fa
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea8e0a3db1e5feeff9dda1c3b09dc895011bc7d04ad6211a2803b2d894b2521a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 53F06930E10319CFCB50DF69D80859EBFF0BF88314B00851AE859E7240DB70AA05CF94
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05805F30 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 54fb7fd0f9fbf3e115a7dd46bf693bb86e89e4129bb0b4d33df3346b3fef75cb
                                                                                                                                                                                                                                                      • Instruction ID: f625588b4020ecfe60e9a37887c7858c898564c082d639fc6dfa39c8443d142d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 54fb7fd0f9fbf3e115a7dd46bf693bb86e89e4129bb0b4d33df3346b3fef75cb
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86F02772B042048FD3048B68DC58B67FBA5FF84324F04417AD90ACB2A1DB718C80CB90
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05805C1D Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 3313ca2276df6284cc675fdcc6fdd4aff9cf06b138509950c48ec79a63b7f354
                                                                                                                                                                                                                                                      • Instruction ID: cd74d410b79b5747c6df6191fa1bd0f077ae8e47ce7dd258026acbd5aab56253
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3313ca2276df6284cc675fdcc6fdd4aff9cf06b138509950c48ec79a63b7f354
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7801A475A15219ABDF00DB90EC55FAEBBB2BF48314F109455E802BB2A0CB756A40DF60
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 058007C4 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: ebfa040651966872712fc3c5d9a2b943d56509d1a7cbe9444718a82e3c6e3842
                                                                                                                                                                                                                                                      • Instruction ID: 726e9e1f1d3a0305c6dadd9dbd6ba0908fd12e0ca9bb30794f297aad407f177d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ebfa040651966872712fc3c5d9a2b943d56509d1a7cbe9444718a82e3c6e3842
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13F0E931548750CFC350EB39DC4A05A7FE2AE81110384CD5DD189CA965DBA4B60A8791
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05803FB7 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: c616d5cac3b3d855487ef91447601588c5700d91ec8ce5bfc6de86a5c75446e7
                                                                                                                                                                                                                                                      • Instruction ID: f64db6dae2315c3dfad8a316a9d7a68bd4b045e46833aef25364dc4e8cf46281
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c616d5cac3b3d855487ef91447601588c5700d91ec8ce5bfc6de86a5c75446e7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D4F0EC7970818457D3117AA5BC6CA5A7F9DD7CA624F444429F60DC3241DF695D00C3A1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05804218 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 51c94123294e31e7b6655cef4eccea844ca5bc3857a5261cc3b6689e98f3dbc7
                                                                                                                                                                                                                                                      • Instruction ID: 3ac7e31aa9624c0a85b691d33dd19ef107cd8dc3c59615940beb96985039dfbf
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 51c94123294e31e7b6655cef4eccea844ca5bc3857a5261cc3b6689e98f3dbc7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8F027333057918FC301CF20E405C1ABB71AF81721304819AE8459B272DB24EE50C7C0
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05805C51 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 82777f7734effd561832f0d0b999ddd09f6dc3f08a1b0d2d362724c691d16bc6
                                                                                                                                                                                                                                                      • Instruction ID: 45d3f91cd11a92ab9d0b4e8d8d7e58431528767fae28e5c68a2ef14e1bddb0c8
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 82777f7734effd561832f0d0b999ddd09f6dc3f08a1b0d2d362724c691d16bc6
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 31F01C76B003088BCB048B99DA411DDBBF6EF85312F24046AD909EB754DB71AE45CB85
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580EAB8 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 72e8986cdff5cb6a08054daddee91e94b6b33ee7e624f6cb0738270202f277e7
                                                                                                                                                                                                                                                      • Instruction ID: aa0846f5c93d32bb971f1dcf5b96f5882faf982ef71aee20a4c3d386fcd88295
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 72e8986cdff5cb6a08054daddee91e94b6b33ee7e624f6cb0738270202f277e7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 43F0EC701046448FEB209B74D85DB667BD5FB81326F04C92DE09BC71D1DF75A849CB40
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580076B Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: e602578b9351289f74536d7b489a60df530a959095d6f02241eb50aa026b5fdc
                                                                                                                                                                                                                                                      • Instruction ID: d01be8a98cf2055d0a55fb443efefa5e904c9ab6374b91ba0d3d82b780a2a203
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e602578b9351289f74536d7b489a60df530a959095d6f02241eb50aa026b5fdc
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D3E0E5319047108FC354FB39D94714AB7E69F84220B40CD2DE10983A14DFB1B91947E5
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05803FC8 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: cb9564e587ef7bc7ffeab7eac0a6477eae697e4dd3fe79766f4247a15070a3dc
                                                                                                                                                                                                                                                      • Instruction ID: db930940618dc5932f76b6ae61927f3f5d2ff0bf5e45e120d41fcbe7c4d4f183
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cb9564e587ef7bc7ffeab7eac0a6477eae697e4dd3fe79766f4247a15070a3dc
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09E0DF3930414867D3107AAAB85C86ABAAEE7C9624340843AFB0DC3205DFA95D0083B0
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580EB10 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 7dda94a9b95131154684eccb8c5db0db5dc974e5b893d3cde31c9f7636612647
                                                                                                                                                                                                                                                      • Instruction ID: c72401115a59798853b5b0f6344b1ff36492d2cdd7f51b2810580ee364a59e3d
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7dda94a9b95131154684eccb8c5db0db5dc974e5b893d3cde31c9f7636612647
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1E0ED302082409BE304EF34E89A7596B92AB80328F46C969D1489F2E6CBFD694987C1
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580EAC8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 0254790dff37deee1a34bf4ae5ffb7328a6c88ba5cdf1307c12fea6c81bef8f5
                                                                                                                                                                                                                                                      • Instruction ID: b4131b720606685bb73a3882a9d6006662f408499fd4f575c2d16788eebfed49
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0254790dff37deee1a34bf4ae5ffb7328a6c88ba5cdf1307c12fea6c81bef8f5
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F9E092302042048FD724AB68D44DE6AB7EAEB85336F04C92DE44BD76A1CF75B889CB50
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05800778 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: c91ee9f07dd4cebef01c9eda42574ba4c66c5958dfc38174cca9a905bb6cd63b
                                                                                                                                                                                                                                                      • Instruction ID: d3e7c39b4da5526091d911d1c0838fc7017b6c3c8116aa06b6db235dadd8c56f
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c91ee9f07dd4cebef01c9eda42574ba4c66c5958dfc38174cca9a905bb6cd63b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AEE092305047108FC354FB29D54644AB7E69F84220340CD29E14A87A18DFB0B91947E5
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05806068 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: b04131131e4cc0674cd4eb3b25600895eeae2a0653b3bdebddb3f6f8a27b196b
                                                                                                                                                                                                                                                      • Instruction ID: e9be3599a59030a33ef364ac4810a14ee8c51aad085cc498d2779b5d097ddcf6
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b04131131e4cc0674cd4eb3b25600895eeae2a0653b3bdebddb3f6f8a27b196b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5FF039B0D08249CFCB80DFA9D8166AFBFF0AB59300F10C16AE858E2281E7344601CFC2
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05806078 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 0c5e63dbe043a8784e4ef6909cccb1c525c50bb91bd65988585a6715f0ce42b3
                                                                                                                                                                                                                                                      • Instruction ID: 78f26a8aa9886b4a4e384c6f3bce9a50213aaefcf62d093a8412d56fe7d293b1
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0c5e63dbe043a8784e4ef6909cccb1c525c50bb91bd65988585a6715f0ce42b3
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FDE092B0D0420D9F8B84DFAAD9416BEBFF4AB48200F10816AE919E2250E6345A51CFD5
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05803343 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: dd6fd130094b17636208988b79d15caf77bcd0ffa546c62d7c0e779f46fd0ec7
                                                                                                                                                                                                                                                      • Instruction ID: bd8419ce1beed2b94bc292dc0063c8c4552c823803d4fefee0e9baa65e4d81b4
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dd6fd130094b17636208988b79d15caf77bcd0ffa546c62d7c0e779f46fd0ec7
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46D0A773A043165BC795CAF0E8057DD77B58B40575F12446BC648EB344EAB809414395
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05803F71 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: f6d26f32342ff20cc16420a27eec2bf444b02a0905786a401adf06b0e2709e47
                                                                                                                                                                                                                                                      • Instruction ID: 63957bab193e14d2db2ca5ec98e78552feee309c8ea772872586ba143cc3370c
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f6d26f32342ff20cc16420a27eec2bf444b02a0905786a401adf06b0e2709e47
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 33E0CD7C6541804BEB55EF38D05571AFBF1DB4A300F44C056D10887359EB3CD841CB40
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 05803350 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: ce83e81a9e05b00b9b117b1f2571f0fd3f55e832502546fafccc3fa39c29e57a
                                                                                                                                                                                                                                                      • Instruction ID: b270bc5247d3743b2a082dfcaee456c41a408f96f13e50f41089ee5ea63a5362
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce83e81a9e05b00b9b117b1f2571f0fd3f55e832502546fafccc3fa39c29e57a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39D0223260832C2B0B14DAA564005CE7BAECA404B8B02406BCA08CB200EEB0190043EA
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580DFD7 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 9cdaaab814ea9f36880c79b562af50e0eb7cf6d5806f2d5727f490ef3bfe4512
                                                                                                                                                                                                                                                      • Instruction ID: 83d7503277cc0aa091188c243925088304e1dc7b7db03612e8a6e5db1483e648
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9cdaaab814ea9f36880c79b562af50e0eb7cf6d5806f2d5727f490ef3bfe4512
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6DD05B1550D7844FD791D6B44C1459319F72E53114F451596C955C51E1DB15D801F633
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580F3A3 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 724e975b06223b83e5d86bb78abe2cc357301f91a336487e36c9de50d9732012
                                                                                                                                                                                                                                                      • Instruction ID: 0596114a12b3e41be771cbcf9471d84e9ed7de59426a39f51882564c9636e9f0
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 724e975b06223b83e5d86bb78abe2cc357301f91a336487e36c9de50d9732012
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96D0C97194420ECBDB10DF80D96A7EFBFB1AB48324F216404D601B6380CBB90A44CFD0
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580D811 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: a75873ccfd379b3568cf138b9cd4e6333671f608f1afcd092ea919e0ce6103f6
                                                                                                                                                                                                                                                      • Instruction ID: 774b10e95a0ae863822b9ec195ff3975d731c6f420aa330a10a7f7679079b657
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a75873ccfd379b3568cf138b9cd4e6333671f608f1afcd092ea919e0ce6103f6
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0CB01233D8494467DFA04BD0CC0BB817BA0BB14701F018590F629527C1DD15E210CB09
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580332B Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: e134dfdd8a2b68b08791555cd6aa7b07dc8db97260c309d7ab06120d8336e078
                                                                                                                                                                                                                                                      • Instruction ID: ab388e8d32f6dcfebb1d2e3b3bef21f1d04168c374210ce4c7ce6109cd14a7f6
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e134dfdd8a2b68b08791555cd6aa7b07dc8db97260c309d7ab06120d8336e078
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80A00225E11301479F08566196DEA6C2A2B96C1A023884494BF02D6644CD289845D718
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                                                      Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                                                                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                                                                                                                                                                                                                                      • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2579439406-0
                                                                                                                                                                                                                                                      • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                                                                                                                                      • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00408C60 Relevance: 2.9, Strings: 2, Instructions: 377COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID: @$@
                                                                                                                                                                                                                                                      • API String ID: 0-149943524
                                                                                                                                                                                                                                                      • Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                                                                                                                                                                                                                                                      • Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • GetProcessHeap.KERNEL32 ref: 0040ADD0
                                                                                                                                                                                                                                                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Heap$FreeProcess
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3859560861-0
                                                                                                                                                                                                                                                      • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                                                                                                                                                      • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3192549508-0
                                                                                                                                                                                                                                                      • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                                                                                                                                                                                      • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00407C3F Relevance: .8, Instructions: 783COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                                                                                                                                                                                                                                                      • Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 004073A0 Relevance: .6, Instructions: 633COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                                                                                                                                                                                                                                                      • Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0580C503 Relevance: .4, Instructions: 412COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.324235737.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5800000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 7eae671489186cd0ec3e92ccc74bd9d4bb1faf694eafd0adf9c56ec799e98474
                                                                                                                                                                                                                                                      • Instruction ID: 0313fb6ea412c6075a9cb2914967eb475fc595599a079ed19ee0264ddf719e8e
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7eae671489186cd0ec3e92ccc74bd9d4bb1faf694eafd0adf9c56ec799e98474
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 05E191743001159FD758DF78C8A4B2AB7E6BF88214F018568EA1ACB7A5DF74EC52CB90
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00406CA0 Relevance: .4, Instructions: 401COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                                                                                                                                                                                                                                                      • Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00402B90 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                                                                                                                                                                                                                                                      • Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 004028B0 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                                                                                                                                                                                                                                                      • Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 02230C2E Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.315488054.0000000002230000.00000040.00000800.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_2230000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 6a940ecd29a23c67f33689ae9a7f7c9f02bd6e481d3e5752cbe3ba0e991acdac
                                                                                                                                                                                                                                                      • Instruction ID: bf03133b237e34ed2a51ae2d79b00d52ad1ba2cf356163153ac7ac5d9791c061
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6a940ecd29a23c67f33689ae9a7f7c9f02bd6e481d3e5752cbe3ba0e991acdac
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CD710BB0E446048FD788EF6AE85069EBBF3ABC5304F04D839D2059B368EFB459558F61
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 02230C30 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.315488054.0000000002230000.00000040.00000800.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_2230000_file.jbxd
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 2c23cbeb74d192475fe3b6263ef428c7d6f7c87907b539975af36133cf9e7df9
                                                                                                                                                                                                                                                      • Instruction ID: 6693f3b23de5f3db5e8da76ac29d87dc3d3232081c4ff093157e792e004bed7b
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c23cbeb74d192475fe3b6263ef428c7d6f7c87907b539975af36133cf9e7df9
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D71FBB0E446048FD788EF6AE85069ABBE3ABC5304F04D839D2059B368FFB459558F61
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00401650 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                                                                                                                                                                                                                                                      • Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00402F20 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                                                                                                                                                                                                                                                      • Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00402F89 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                                                                                                                                                                                                                                                      • Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00807ED3 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.314687772.0000000000807000.00000040.00000020.00020000.00000000.sdmp, Offset: 00807000, based on PE: false
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_807000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                                                      • Instruction ID: e377c7b7d040479eba251c8c428f600679b57a2aef6cbd0757ce9dcbbdf106b0
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AA118E72744101AFD784DF59DC81EA673EAFB89320B2980A5ED08CB356DA76EC42C760
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,007C1860), ref: 004170C5
                                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                                                                                                                                                                                                                                      • _malloc.LIBCMT ref: 0041718A
                                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                                                                                                                                                                                                                                      • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                                                                                                                                                                                                                                      • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                                                                                                                                                                                                                                      • _malloc.LIBCMT ref: 0041724C
                                                                                                                                                                                                                                                      • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                                                                                                                                                                                                                                      • __freea.LIBCMT ref: 004172A4
                                                                                                                                                                                                                                                      • __freea.LIBCMT ref: 004172AD
                                                                                                                                                                                                                                                      • ___ansicp.LIBCMT ref: 004172DE
                                                                                                                                                                                                                                                      • ___convertcp.LIBCMT ref: 00417309
                                                                                                                                                                                                                                                      • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                                                                                                                                                                                                                                      • _malloc.LIBCMT ref: 00417362
                                                                                                                                                                                                                                                      • _memset.LIBCMT ref: 00417384
                                                                                                                                                                                                                                                      • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                                                                                                                                                                                                                                      • ___convertcp.LIBCMT ref: 004173BA
                                                                                                                                                                                                                                                      • __freea.LIBCMT ref: 004173CF
                                                                                                                                                                                                                                                      • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3809854901-0
                                                                                                                                                                                                                                                      • Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
                                                                                                                                                                                                                                                      • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • _malloc.LIBCMT ref: 004057DE
                                                                                                                                                                                                                                                        • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                                                                                                                                        • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                                                                                                                                        • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                                                                                                                                      • _malloc.LIBCMT ref: 00405842
                                                                                                                                                                                                                                                      • _malloc.LIBCMT ref: 00405906
                                                                                                                                                                                                                                                      • _malloc.LIBCMT ref: 00405930
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _malloc$AllocateHeap
                                                                                                                                                                                                                                                      • String ID: 1.2.3
                                                                                                                                                                                                                                                      • API String ID: 680241177-2310465506
                                                                                                                                                                                                                                                      • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                                                                                                                                                                                                                      • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3886058894-0
                                                                                                                                                                                                                                                      • Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                                                                                                                                                      • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • __getptd.LIBCMT ref: 00414744
                                                                                                                                                                                                                                                        • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                                                                                                                                                        • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                                                                                                                                                      • __getptd.LIBCMT ref: 0041475B
                                                                                                                                                                                                                                                      • __amsg_exit.LIBCMT ref: 00414769
                                                                                                                                                                                                                                                      • __lock.LIBCMT ref: 00414779
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                                                                                                                                                      • String ID: @.B
                                                                                                                                                                                                                                                      • API String ID: 3521780317-470711618
                                                                                                                                                                                                                                                      • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                                                                                                                                                      • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • __lock_file.LIBCMT ref: 0040C6C8
                                                                                                                                                                                                                                                      • __fileno.LIBCMT ref: 0040C6D6
                                                                                                                                                                                                                                                      • __fileno.LIBCMT ref: 0040C6E2
                                                                                                                                                                                                                                                      • __fileno.LIBCMT ref: 0040C6EE
                                                                                                                                                                                                                                                      • __fileno.LIBCMT ref: 0040C6FE
                                                                                                                                                                                                                                                        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                                                                                                                                        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2805327698-0
                                                                                                                                                                                                                                                      • Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                                                                                                                                                      • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • __getptd.LIBCMT ref: 00413FD8
                                                                                                                                                                                                                                                        • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                                                                                                                                                        • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                                                                                                                                                      • __amsg_exit.LIBCMT ref: 00413FF8
                                                                                                                                                                                                                                                      • __lock.LIBCMT ref: 00414008
                                                                                                                                                                                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                                                                                                                                                                                                                                      • InterlockedIncrement.KERNEL32(007C1608), ref: 00414050
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 4271482742-0
                                                                                                                                                                                                                                                      • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                                                                                                                                                      • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                                      • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                                                                                                                                                      • API String ID: 1646373207-3105848591
                                                                                                                                                                                                                                                      • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                                                                                                                                      • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • __fileno.LIBCMT ref: 0040C77C
                                                                                                                                                                                                                                                      • __locking.LIBCMT ref: 0040C791
                                                                                                                                                                                                                                                        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                                                                                                                                        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 2395185920-0
                                                                                                                                                                                                                                                      • Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                                                                                                                                                      • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: _fseek_malloc_memset
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 208892515-0
                                                                                                                                                                                                                                                      • Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                                                                                                                                                                                                                                      • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • __flush.LIBCMT ref: 0040BB6E
                                                                                                                                                                                                                                                      • __fileno.LIBCMT ref: 0040BB8E
                                                                                                                                                                                                                                                      • __locking.LIBCMT ref: 0040BB95
                                                                                                                                                                                                                                                      • __flsbuf.LIBCMT ref: 0040BBC0
                                                                                                                                                                                                                                                        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                                                                                                                                        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3240763771-0
                                                                                                                                                                                                                                                      • Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                                                                                                                                                      • Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                                                                                                                                                                                                                                      • __isleadbyte_l.LIBCMT ref: 00415307
                                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
                                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3058430110-0
                                                                                                                                                                                                                                                      • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                                                                                                                                                      • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                      Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                      • Source File: 00000000.00000002.313677819.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313773202.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      • Associated: 00000000.00000002.313818591.000000000045A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                      • API String ID: 3016257755-0
                                                                                                                                                                                                                                                      • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                                                                                                                      • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89
                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%