Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7YtmCkMUx3.dll

Overview

General Information

Sample name:7YtmCkMUx3.dll
renamed because original name is a hash value
Original sample name:48956128660f7a745aa918eac38e5baacdae1bc0809503f2a2c3f2b79507e3ff.dll
Analysis ID:1557650
MD5:4068a0a6099bb556a4ed42265efdfeb1
SHA1:1512394c8919d6790c307f638023c5e7ec18db68
SHA256:48956128660f7a745aa918eac38e5baacdae1bc0809503f2a2c3f2b79507e3ff
Tags:103-45-64-91dlluser-JAMESWT_MHT
Infos:

Detection

GhostRat, Mimikatz, Nitol
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Nitol
AI detected suspicious sample
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create new users
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7780 cmdline: loaddll32.exe "C:\Users\user\Desktop\7YtmCkMUx3.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7840 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7YtmCkMUx3.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7868 cmdline: rundll32.exe "C:\Users\user\Desktop\7YtmCkMUx3.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 7932 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7948 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7848 cmdline: rundll32.exe C:\Users\user\Desktop\7YtmCkMUx3.dll,Shellex MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 7924 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7940 cmdline: cmd /c md C:\Users\Public\Documents\MM MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MimiKatzVaronis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
  • APT32
  • Anunak
  • GALLIUM
https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz
NameDescriptionAttributionBlogpost URLsLink
NitolNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
7YtmCkMUx3.dllJoeSecurity_GhostRatYara detected GhostRatJoe Security
    7YtmCkMUx3.dllJoeSecurity_NitolYara detected NitolJoe Security
      7YtmCkMUx3.dllJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
        7YtmCkMUx3.dllMimikatz_StringsDetects Mimikatz stringsFlorian Roth
        • 0x11fcf7:$x1: sekurlsa::logonpasswords
        7YtmCkMUx3.dllINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
        • 0x10444a:$h1: Hid_State
        • 0x1169b0:$h1: Hid_State
        • 0x10445e:$h2: Hid_StealthMode
        • 0x1169d0:$h2: Hid_StealthMode
        • 0x10447e:$h3: Hid_HideFsDirs
        • 0x1169f0:$h3: Hid_HideFsDirs
        • 0x10449c:$h4: Hid_HideFsFiles
        • 0x116a10:$h4: Hid_HideFsFiles
        • 0x1044bc:$h5: Hid_HideRegKeys
        • 0x116a30:$h5: Hid_HideRegKeys
        • 0x1044dc:$h6: Hid_HideRegValues
        • 0x116a50:$h6: Hid_HideRegValues
        • 0x104500:$h7: Hid_IgnoredImages
        • 0x116a80:$h7: Hid_IgnoredImages
        • 0x104524:$h8: Hid_ProtectedImages
        • 0x116ab0:$h8: Hid_ProtectedImages
        • 0x108d66:$s1: FLTMGR.SYS
        • 0x11c6da:$s1: FLTMGR.SYS
        • 0x1092e2:$s2: HAL.dll
        • 0x105e86:$s3: \SystemRoot\System32\csrss.exe
        • 0x118630:$s3: \SystemRoot\System32\csrss.exe
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000005.00000002.3880843922.000000001011E000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
          00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
            00000004.00000002.3880845609.000000001011E000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
              Process Memory Space: loaddll32.exe PID: 7780JoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
                Process Memory Space: rundll32.exe PID: 7848JoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
                  Click to see the 1 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  5.2.rundll32.exe.100fbd38.1.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0x7b12:$h1: Hid_State
                  • 0x7b26:$h2: Hid_StealthMode
                  • 0x7b46:$h3: Hid_HideFsDirs
                  • 0x7b64:$h4: Hid_HideFsFiles
                  • 0x7b84:$h5: Hid_HideRegKeys
                  • 0x7ba4:$h6: Hid_HideRegValues
                  • 0x7bc8:$h7: Hid_IgnoredImages
                  • 0x7bec:$h8: Hid_ProtectedImages
                  • 0xc42e:$s1: FLTMGR.SYS
                  • 0xc9aa:$s2: HAL.dll
                  • 0x954e:$s3: \SystemRoot\System32\csrss.exe
                  • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  • 0x258:$s5: INIT
                  • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
                  4.2.rundll32.exe.1010b380.1.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xaa30:$h1: Hid_State
                  • 0xaa50:$h2: Hid_StealthMode
                  • 0xaa70:$h3: Hid_HideFsDirs
                  • 0xaa90:$h4: Hid_HideFsFiles
                  • 0xaab0:$h5: Hid_HideRegKeys
                  • 0xaad0:$h6: Hid_HideRegValues
                  • 0xab00:$h7: Hid_IgnoredImages
                  • 0xab30:$h8: Hid_ProtectedImages
                  • 0xfb5a:$s1: FLTMGR.SYS
                  • 0xc6b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  4.2.rundll32.exe.1010b380.1.raw.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xb630:$h1: Hid_State
                  • 0xb650:$h2: Hid_StealthMode
                  • 0xb670:$h3: Hid_HideFsDirs
                  • 0xb690:$h4: Hid_HideFsFiles
                  • 0xb6b0:$h5: Hid_HideRegKeys
                  • 0xb6d0:$h6: Hid_HideRegValues
                  • 0xb700:$h7: Hid_IgnoredImages
                  • 0xb730:$h8: Hid_ProtectedImages
                  • 0x1135a:$s1: FLTMGR.SYS
                  • 0xd2b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  4.2.rundll32.exe.100fbd38.2.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0x7b12:$h1: Hid_State
                  • 0x7b26:$h2: Hid_StealthMode
                  • 0x7b46:$h3: Hid_HideFsDirs
                  • 0x7b64:$h4: Hid_HideFsFiles
                  • 0x7b84:$h5: Hid_HideRegKeys
                  • 0x7ba4:$h6: Hid_HideRegValues
                  • 0x7bc8:$h7: Hid_IgnoredImages
                  • 0x7bec:$h8: Hid_ProtectedImages
                  • 0xc42e:$s1: FLTMGR.SYS
                  • 0xc9aa:$s2: HAL.dll
                  • 0x954e:$s3: \SystemRoot\System32\csrss.exe
                  • 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  • 0x258:$s5: INIT
                  • 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
                  0.2.loaddll32.exe.1010b380.2.unpackINDICATOR_TOOL_RTK_HiddenRootKitDetects the Hidden public rootkitditekSHen
                  • 0xaa30:$h1: Hid_State
                  • 0xaa50:$h2: Hid_StealthMode
                  • 0xaa70:$h3: Hid_HideFsDirs
                  • 0xaa90:$h4: Hid_HideFsFiles
                  • 0xaab0:$h5: Hid_HideRegKeys
                  • 0xaad0:$h6: Hid_HideRegValues
                  • 0xab00:$h7: Hid_IgnoredImages
                  • 0xab30:$h8: Hid_ProtectedImages
                  • 0xfb5a:$s1: FLTMGR.SYS
                  • 0xc6b0:$s3: \SystemRoot\System32\csrss.exe
                  • 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
                  Click to see the 25 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
                  Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7924, TargetFilename: C:\Users\Public\Documents\MM

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 7YtmCkMUx3.dllAvira: detected
                  Multi AV Scanner detection for submitted file
                  Source: 7YtmCkMUx3.dllReversingLabs: Detection: 68%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.7% probability
                  Machine Learning detection for sample
                  Source: 7YtmCkMUx3.dllJoe Sandbox ML: detected
                  Source: 7YtmCkMUx3.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                  Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dll
                  Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000002.3880066814.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.4.dr
                  Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000002.3880066814.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.4.dr
                  Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dll
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100254C0 wcstombs,NetUserEnum,wcstombs,NetApiBufferFree,NetApiBufferFree,LocalAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalReAlloc,0_2_100254C0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100254C0 wcstombs,NetUserEnum,wcstombs,NetApiBufferFree,NetApiBufferFree,LocalAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalReAlloc,4_2_100254C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10009080
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_100092A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,0_2_100097D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,0_2_1002AB10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009B60 FindFirstFileA,FindClose,FindClose,0_2_10009B60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_10009C40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,0_2_1000BD50
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,4_2_10009080
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,4_2_100092A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,4_2_100097D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,4_2_1002AB10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10009B60 FindFirstFileA,FindClose,FindClose,4_2_10009B60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,4_2_10009C40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,4_2_1000BD50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10008E50 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,0_2_10008E50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_1002E040
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then test byte ptr [101218F4h], 00000008h0_2_1003E318
                  Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then movdqa dqword ptr [edi], xmm70_2_1003E490
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]4_2_1002E040
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then test byte ptr [101218F4h], 00000008h4_2_1003E318
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then movdqa dqword ptr [edi], xmm74_2_1003E490
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014060 InternetOpenA,InternetConnectA,InternetCloseHandle,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpSendRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoA,#823,HttpQueryInfoA,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,strstr,strstr,#825,strstr,strncpy,strstr,#825,strstr,strncat,strstr,#825,InternetOpenA,InternetConnectA,InternetCloseHandle,sprintf,sprintf,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,sprintf,HttpSendRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,atol,#823,InternetReadFile,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,MultiByteToWideChar,#823,MultiByteToWideChar,#825,WideCharToMultiByte,#823,WideCharToMultiByte,#825,strstr,#825,#825,0_2_10014060
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllString found in binary or memory: http://ptlogin2.qun.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: http://ptlogin2.qun.qq.com%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllString found in binary or memory: http://qun.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: http://qun.qq.com%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880845609.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880843922.000000001011E000.00000004.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880845609.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880843922.000000001011E000.00000004.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt
                  Source: loaddll32.exe, 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3880845609.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880843922.000000001011E000.00000004.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllString found in binary or memory: https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txthttps://
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%sAccept-Language:
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllString found in binary or memory: https://ssl.ptlogin2.qq.com%s
                  Source: loaddll32.exe, rundll32.exeString found in binary or memory: https://ssl.ptlogin2.qq.com%sAccept-Language:
                  Source: rundll32.exe, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllString found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to capture and log keystrokes
                  Source: C:\Windows\System32\loaddll32.exeCode function: <BackSpace>0_2_1000B840
                  Source: C:\Windows\System32\loaddll32.exeCode function: <Enter>0_2_1000B840
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: <BackSpace>4_2_1000B840
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: <Enter>4_2_1000B840
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100025B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,0_2_100025B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100026B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,0_2_100026B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,0_2_10002770
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100029D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_100029D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10017BB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,0_2_10017BB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100026B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,4_2_100026B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10002770 OpenClipboard,GetClipboardData,GlobalLock,GlobalLock,strstr,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,4_2_10002770
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100029D0 printf,OpenClipboard,GlobalAlloc,GlobalLock,strstr,strstr,strstr,atoi,strstr,strstr,strstr,atoi,Sleep,Sleep,atoi,strstr,Sleep,Sleep,printf,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,4_2_100029D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10017BB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,4_2_10017BB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100025B0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,0_2_100025B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000B840 GetKeyState,Sleep,lstrlenA,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrcatA,lstrlenA,lstrcatA,lstrcatA,0_2_1000B840

                  E-Banking Fraud

                  barindex
                  Checks if browser processes are running
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000BFE0
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000BFE0
                  Source: C:\Windows\System32\loaddll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe0_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe4_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe4_2_1000BFE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: malloc,SetEvent,GetUserNameA,_strcmpi,Sleep,Sleep,sprintf,sprintf,sprintf,sprintf,free,strstr,strstr,strstr,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,_strcmpi,free,free,CloseHandle,free,CloseHandle,CloseHandle,CloseHandle,CloseHandle,free, Applications\iexplore.exe4_2_1000BFE0

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 7YtmCkMUx3.dll, type: SAMPLEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 7YtmCkMUx3.dll, type: SAMPLEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 7YtmCkMUx3.dll, type: SAMPLEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 5.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.1010b380.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.1010b380.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.100fbd38.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.100fbd38.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 5.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 5.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 5.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz strings Author: Florian Roth
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects the Hidden public rootkit Author: ditekSHen
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E670: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,0_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10010190 AttachConsole,AttachConsole,Sleep,AttachConsole,GetConsoleProcessList,GetConsoleProcessList,#823,GetConsoleProcessList,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,#825,FreeConsole,FreeConsole,Sleep,FreeConsole,TerminateProcess,swprintf,SHDeleteKeyA,OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,GetSystemDirectoryA,GetSystemDirectoryA,lstrcatA,lstrcatA,DeleteFileA,DeleteFileA,GetSystemDirectoryA,lstrcatA,DeleteFileA,LocalFree,free,free,free,GetWindowsDirectoryA,GetCurrentProcess,IsWow64Process,DeleteFileA,SetServiceStatus,ExitProcess,0_2_10010190
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10010640 ExitWindowsEx,0_2_10010640
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E670 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,0_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10010640 ExitWindowsEx,4_2_10010640
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000E670 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,4_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100580600_2_10058060
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100810900_2_10081090
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100971900_2_10097190
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100041D00_2_100041D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003B2100_2_1003B210
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002A2600_2_1002A260
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100932B00_2_100932B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007E2D00_2_1007E2D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003E4700_2_1003E470
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100373F00_2_100373F0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003C4120_2_1003C412
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001A4200_2_1001A420
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1005B4200_2_1005B420
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000A5800_2_1000A580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007E5800_2_1007E580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100965800_2_10096580
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100935E00_2_100935E0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100945E00_2_100945E0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100356970_2_10035697
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100287B00_2_100287B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100297D00_2_100297D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003E4900_2_1003E490
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100308D00_2_100308D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100599000_2_10059900
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100809100_2_10080910
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007E9600_2_1007E960
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10095A100_2_10095A10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1005BAB00_2_1005BAB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007FAF00_2_1007FAF0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10081AF00_2_10081AF0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10091B300_2_10091B30
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1003BB900_2_1003BB90
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10082D700_2_10082D70
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10059DB00_2_10059DB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10083DB00_2_10083DB0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1007ADD00_2_1007ADD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10084DD00_2_10084DD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10037E100_2_10037E10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1005AEA00_2_1005AEA0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10093F400_2_10093F40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10023F600_2_10023F60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10078F700_2_10078F70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100580604_2_10058060
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100810904_2_10081090
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100971904_2_10097190
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100041D04_2_100041D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003B2104_2_1003B210
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002A2604_2_1002A260
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100932B04_2_100932B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1007E2D04_2_1007E2D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003E4704_2_1003E470
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100373F04_2_100373F0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003C4124_2_1003C412
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001A4204_2_1001A420
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1005B4204_2_1005B420
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000A5804_2_1000A580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1007E5804_2_1007E580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100965804_2_10096580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100935E04_2_100935E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100945E04_2_100945E0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100356974_2_10035697
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100287B04_2_100287B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100297D04_2_100297D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003E4904_2_1003E490
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100308D04_2_100308D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100599004_2_10059900
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100809104_2_10080910
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1007E9604_2_1007E960
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10095A104_2_10095A10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1005BAB04_2_1005BAB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1007FAF04_2_1007FAF0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10081AF04_2_10081AF0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10091B304_2_10091B30
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1003BB904_2_1003BB90
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10082D704_2_10082D70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10059DB04_2_10059DB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10083DB04_2_10083DB0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1007ADD04_2_1007ADD0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10084DD04_2_10084DD0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10037E104_2_10037E10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1005AEA04_2_1005AEA0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10093F404_2_10093F40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10023F604_2_10023F60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10078F704_2_10078F70
                  Source: C:\Windows\System32\loaddll32.exeCode function: String function: 1001B690 appears 31 times
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1001B690 appears 31 times
                  Source: 7YtmCkMUx3.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                  Source: 7YtmCkMUx3.dll, type: SAMPLEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 7YtmCkMUx3.dll, type: SAMPLEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 7YtmCkMUx3.dll, type: SAMPLEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 5.2.rundll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.1010b380.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.1010b380.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.100fbd38.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.100fbd38.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 5.2.rundll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 5.2.rundll32.exe.1010b380.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.100fbd38.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 5.2.rundll32.exe.1010b380.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.100fbd38.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
                  Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                  Source: 7YtmCkMUx3.dllBinary string: \Device\QAssist\DosDevices\QAssistQAssist!InitializeDevice[irql:%d,pid:%d][error]: Error, device creation failed with code:%08x
                  Source: 7YtmCkMUx3.dllBinary string: \Device\QAssist\DosDevices\QAssist
                  Source: 7YtmCkMUx3.dllBinary string: \??\\Device\\SystemRoot\QAssist!CheckProtectedOperation[irql:%d,pid:%d][warning]: Warning, can't update initial state for process: %p
                  Source: 7YtmCkMUx3.dllBinary string: \Device\
                  Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winDLL@20/1@0/0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100290C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_100290C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001B690 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,0_2_1001B690
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100290C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,4_2_100290C0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001B690 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,4_2_1001B690
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001B250 GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,GetDriveTypeA,GetDiskFreeSpaceExA,GetTickCount,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetLastInputInfo,GetTickCount,_access,lstrcpyA,0_2_1001B250
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100270F0 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_100270F0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001A100 CoInitialize,CoCreateInstance,GetDriveTypeA,SysFreeString,SysFreeString,CoUninitialize,0_2_1001A100
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001EFD0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001EFD0
                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\Public\Documents\MM\svchos1.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\7YtmCkMUx3.dll,Shellex
                  Source: 7YtmCkMUx3.dllReversingLabs: Detection: 68%
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\7YtmCkMUx3.dll"
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7YtmCkMUx3.dll",#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\7YtmCkMUx3.dll,Shellex
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7YtmCkMUx3.dll",#1
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MM
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7YtmCkMUx3.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\7YtmCkMUx3.dll,ShellexJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7YtmCkMUx3.dll",#1Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md C:\Users\Public\Documents\MMJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: 7YtmCkMUx3.dllStatic file information: File size 1269760 > 1048576
                  Source: Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dll
                  Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000002.3880066814.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.4.dr
                  Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000002.3880066814.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, svchos1.exe.4.dr
                  Source: Binary string: F:\hidden-master\Debug\QAssist.pdb source: loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dll
                  Source: svchos1.exe.4.drStatic PE information: 0x6A8F1B39 [Wed Aug 26 16:58:33 2026 UTC]
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014700 LoadLibraryA,GetProcAddress,#823,#823,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,strchr,strncat,strncat,strncat,strchr,RegQueryValueExA,wsprintfA,RegQueryValueExA,strchr,RegEnumKeyExA,wsprintfA,wsprintfA,RegEnumValueA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcatA,#825,#825,0_2_10014700
                  Source: 7YtmCkMUx3.dllStatic PE information: section name: .rodata
                  Source: 7YtmCkMUx3.dllStatic PE information: section name: .rotext
                  Source: svchos1.exe.4.drStatic PE information: section name: .didat
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002D080 push eax; ret 0_2_1002D0AE
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002D080 push eax; ret 4_2_1002D0AE

                  Persistence and Installation Behavior

                  barindex
                  Contains functionality to infect the boot sector
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE04_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10025AA0 lstrlenA,lstrlenA,lstrlenA,lstrlenA,NetUserAdd,#825,#825,wcscpy,#825,#825,NetLocalGroupAddMembers,#825,LocalFree,0_2_10025AA0
                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\Public\Documents\MM\svchos1.exeJump to dropped file

                  Boot Survival

                  barindex
                  Contains functionality to infect the boot sector
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE00_2_1000E670
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE04_2_1000E670
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001EFD0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001EFD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001D150 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,0_2_1001D150
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001D150 IsWindowVisible,IsIconic,GetWindowTextA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,strstr,4_2_1001D150
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E540 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,0_2_1000E540
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001140 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,#825,#825,#825,#825,0_2_10001140
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Contains functionality to detect sleep reduction / modifications
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001D4A00_2_1001D4A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001DA700_2_1001DA70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001D4A04_2_1001D4A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001DA704_2_1001DA70
                  Found evasive API chain (may stop execution after checking mutex)
                  Source: C:\Windows\System32\loaddll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-21818
                  Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                  Source: C:\Windows\System32\loaddll32.exeCode function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlenA,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcatA,lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,0_2_10019930
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: LocalAlloc,LocalAlloc,OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LocalAlloc,EnumServicesStatusA,lstrlenA,OpenServiceA,QueryServiceConfigA,LocalAlloc,QueryServiceConfigA,QueryServiceConfig2A,LocalAlloc,QueryServiceConfig2A,lstrcatA,lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalFree,LocalFree,LocalFree,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,4_2_10019930
                  Source: C:\Windows\System32\loaddll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-21957
                  Source: C:\Windows\System32\loaddll32.exeAPI coverage: 2.3 %
                  Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 2.7 %
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001DA700_2_1001DA70
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001DA704_2_1001DA70
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,0_2_10009080
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_100092A0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,0_2_100097D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,0_2_1002AB10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009B60 FindFirstFileA,FindClose,FindClose,0_2_10009B60
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,0_2_10009C40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,0_2_1000BD50
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10009080 lstrlenA,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,4_2_10009080
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100092A0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,4_2_100092A0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100097D0 lstrlenA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,#823,#825,wsprintfA,FindNextFileA,FindClose,4_2_100097D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1002AB10 lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,GetPrivateProfileStringA,lstrlenA,strstr,GetPrivateProfileStringA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,FindNextFileA,FindClose,4_2_1002AB10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10009B60 FindFirstFileA,FindClose,FindClose,4_2_10009B60
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10009C40 FindFirstFileA,FindClose,CloseHandle,CreateFileA,4_2_10009C40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000BD50 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z,?_Xran@std@@YAXXZ,?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,FindFirstFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,_strcmpi,DeleteFileA,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,#825,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB,DeleteFileA,#825,FindNextFileA,FindClose,RemoveDirectoryA,#825,4_2_1000BD50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10008E50 GetLogicalDriveStringsA,GetUserNameA,_strcmpi,SHGetFolderPathA,CloseHandle,lstrlenA,lstrlenA,lstrlenA,GetVolumeInformationA,SHGetFileInfoA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,0_2_10008E50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001B250 GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,GetDriveTypeA,GetDiskFreeSpaceExA,GetTickCount,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetLastInputInfo,GetTickCount,_access,lstrcpyA,0_2_1001B250
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100174C0 BlockInput,BlockInput,BlockInput,0_2_100174C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014700 LoadLibraryA,GetProcAddress,#823,#823,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,strchr,strncat,strncat,strncat,strchr,RegQueryValueExA,wsprintfA,RegQueryValueExA,strchr,RegEnumKeyExA,wsprintfA,wsprintfA,RegEnumValueA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcatA,#825,#825,0_2_10014700
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000A580 LocalAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,CreateToolhelp32Snapshot,lstrlenA,htons,inet_ntoa,wsprintfA,wsprintfA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapFree,FreeLibrary,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,GetProcessHeap,GetProcessHeap,CreateToolhelp32Snapshot,lstrlenA,htons,inet_ntoa,wsprintfA,wsprintfA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,htons,inet_ntoa,wsprintfA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LocalSize,LocalReAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseHandle,LocalFree,LocalFree,LocalFree,FreeLibrary,LocalReAlloc,0_2_1000A580

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Contains functionality to automate explorer (e.g. start an application)
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,0_2_1000E780
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,0_2_1000E780
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,4_2_1000E780
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000E780 SetEvent,FindWindowA,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,FindWindowA,SendMessageA,mciSendStringA,mciSendStringA,Beep,Sleep,Beep,Sleep,GetForegroundWindow,Beep,Sleep,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,SwapMouseButton,4_2_1000E780
                  Source: C:\Windows\System32\loaddll32.exeCode function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe0_2_1000ED10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe4_2_1000ED10
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10021410 _access,GetModuleFileNameA,ShellExecuteExA,ShellExecuteExA,GetLastError,exit,_access,_access,Sleep,WinExec,WinExec,_access,WinExec,Sleep,_access,Sleep,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,Shellex,0_2_10021410
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7YtmCkMUx3.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001EFD0 Shellex,#823,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetCurrentThreadId,PostThreadMessageA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetCommandLineA,CreateMutexA,GetLastError,strstr,Sleep,Sleep,OpenSCManagerA,OpenServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,ExitProcess,CloseServiceHandle,CloseServiceHandle,Sleep,Sleep,sprintf,ExitProcess,sprintf,sprintf,GetModuleFileNameA,sprintf,Sleep,sprintf,ExitProcess,Sleep,Sleep,Sleep,Sleep,0_2_1001EFD0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100209D0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_100209D0
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWnd
                  Source: 7YtmCkMUx3.dllBinary or memory string: Shell_TrayWndProgmanDwmapi.dllDwmIsCompositionEnabledDwmEnableCompositiondwmapi.dllrunasexplorer.exeSeDebugPrivilegecmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255\AppData\Local\Google\Chrome\User Data\DefaultC:\Users\\AppData\Roaming\Microsoft\Skype for DesktopSkype.exedel /s /f %appdata%\Mozilla\Firefox\Profiles\*.dbfirefox.exe\AppData\Roaming\360se6\User Data\Default360se6.exe\AppData\Local\Tencent\QQBrowser\User Data\DefaultQQBrowser.exe\AppData\Roaming\SogouExplorerSogouExplorer.exeBITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SetupSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilege
                  Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: Progman
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100A8230 cpuid 0_2_100A8230
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002340 GetWindowLongA,PostQuitMessage,SetWindowLongA,GetModuleHandleA,LoadIconA,SetClassLongA,DestroyWindow,GetDlgItemTextA,GetDlgItem,SetFocus,GetLocalTime,sprintf,GetDlgItem,GetDlgItem,GetWindowTextLengthA,GetWindowTextLengthA,SetWindowTextA,GetWindowTextLengthA,SendMessageA,SendMessageA,SendMessageA,SetDlgItemTextA,GetDlgItem,SetFocus,0_2_10002340
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1002A260 RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,wsprintfA,RegCloseKey,wsprintfA,GetComputerNameA,GetTickCount,wsprintfA,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,wsprintfA,ReleaseDC,wsprintfA,wsprintfA,wsprintfA,GetCommandLineA,wsprintfA,GetUserNameA,wsprintfA,wsprintfA,FindWindowA,GetWindow,GetWindowTextA,GetWindow,GetClassNameA,GlobalMemoryStatusEx,0_2_1002A260
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001E020 GetVersionExA,GetModuleFileNameA,sprintf,WaitForSingleObject,CloseHandle,FindWindowA,FindWindowA,Sleep,FindWindowA,Sleep,FindWindowA,CloseHandle,ExitProcess,0_2_1001E020

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Contains functionality to modify windows services which are used for security filtering and protection
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10026980 OpenServiceA 00000000,sharedaccess,000F01FF0_2_10026980

                  Stealing of Sensitive Information

                  barindex
                  Yara detected GhostRat
                  Source: Yara matchFile source: 7YtmCkMUx3.dll, type: SAMPLE
                  Source: Yara matchFile source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Yara detected Mimikatz
                  Source: Yara matchFile source: 7YtmCkMUx3.dll, type: SAMPLE
                  Source: Yara matchFile source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3880843922.000000001011E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3880845609.000000001011E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7780, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7848, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7868, type: MEMORYSTR
                  Yara detected Nitol
                  Source: Yara matchFile source: 7YtmCkMUx3.dll, type: SAMPLE
                  Source: Yara matchFile source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

                  Remote Access Functionality

                  barindex
                  Yara detected GhostRat
                  Source: Yara matchFile source: 7YtmCkMUx3.dll, type: SAMPLE
                  Source: Yara matchFile source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Yara detected Nitol
                  Source: Yara matchFile source: 7YtmCkMUx3.dll, type: SAMPLE
                  Source: Yara matchFile source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10023650 socket,bind,getsockname,inet_addr,0_2_10023650
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10023A10 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,0_2_10023A10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10023650 socket,bind,getsockname,inet_addr,4_2_10023650
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10023A10 WSAStartup,socket,htons,bind,listen,accept,malloc,accept,malloc,CreateThread,Sleep,CloseHandle,4_2_10023A10

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		111
                  Input Capture                  		1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts12
                  Service Execution                  		1
                  Create Account                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol111
                  Input Capture                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt111
                  Windows Service                  		1
                  Access Token Manipulation                  		3
                  Obfuscated Files or Information                  		Security Account Manager1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		SteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Bootkit                  		111
                  Windows Service                  		1
                  Timestomp                  		NTDS2
                  File and Directory Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script23
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets15
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials1
                  Network Share Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation                  		DCSync12
                  Security Software Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job23
                  Process Injection                  		Proc Filesystem12
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Bootkit                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Rundll32                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Indicator Removal                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1557650 Sample: 7YtmCkMUx3.dll Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 9 loaddll32.exe 1 2->9         started        process3 signatures4 48 Found evasive API chain (may stop execution after checking mutex) 9->48 50 Contains functionality to automate explorer (e.g. start an application) 9->50 52 Contains functionality to infect the boot sector 9->52 54 4 other signatures 9->54 12 rundll32.exe 1 1 9->12         started        16 cmd.exe 1 9->16         started        18 conhost.exe 9->18         started        process5 file6 38 C:\Users\Public\Documents\MM\svchos1.exe, PE32 12->38 dropped 56 Found evasive API chain (may stop execution after checking mutex) 12->56 58 Contains functionality to automate explorer (e.g. start an application) 12->58 60 Contains functionality to infect the boot sector 12->60 62 3 other signatures 12->62 20 cmd.exe 2 12->20         started        22 cmd.exe 12->22         started        24 rundll32.exe 16->24         started        signatures7 process8 process9 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        30 cmd.exe 24->30         started        32 cmd.exe 24->32         started        process10 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  7YtmCkMUx3.dll68%ReversingLabsWin32.Downloader.GhostRAT
                  7YtmCkMUx3.dll100%AviraBDS/Zegost.lloamn
                  7YtmCkMUx3.dll100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\Public\Documents\MM\svchos1.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://qun.qq.com%sAccept-Language:0%Avira URL Cloudsafe
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txthttps://0%Avira URL Cloudsafe
                  https://ssl.ptlogin2.qq.com%sAccept-Language:0%Avira URL Cloudsafe
                  https://localhost.ptlogin2.qq.com:4301%sAccept-Language:0%Avira URL Cloudsafe
                  http://ptlogin2.qun.qq.com%sAccept-Language:0%Avira URL Cloudsafe
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt0%Avira URL Cloudsafe
                  https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txt0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://ssl.ptlogin2.qq.com%sloaddll32.exe, loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllfalse
                    		high
                    https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txtloaddll32.exe, loaddll32.exe, 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880845609.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880843922.000000001011E000.00000004.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://localhost.ptlogin2.qq.com:4301%sAccept-Language:loaddll32.exe, rundll32.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_rundll32.exe, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllfalse
                      		high
                      https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txtloaddll32.exe, loaddll32.exe, 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880845609.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880843922.000000001011E000.00000004.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ssl.ptlogin2.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ptlogin2.qun.qq.com%sloaddll32.exe, loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllfalse
                        		high
                        http://ptlogin2.qun.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://qun.qq.com%sloaddll32.exe, loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllfalse
                          		high
                          https://localhost.ptlogin2.qq.com:4301%sloaddll32.exe, loaddll32.exe, 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000004.00000002.3880812705.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880799207.00000000100FA000.00000008.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllfalse
                            		high
                            http://qun.qq.com%sAccept-Language:loaddll32.exe, rundll32.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1728896464326/4.txthttps://loaddll32.exe, 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3880845609.000000001011E000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3880843922.000000001011E000.00000004.00000001.01000000.00000003.sdmp, 7YtmCkMUx3.dllfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1557650
                            Start date and time:2024-11-18 14:08:18 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 7m 47s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:18
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:7YtmCkMUx3.dll
                            renamed because original name is a hash value
                            Original Sample Name:48956128660f7a745aa918eac38e5baacdae1bc0809503f2a2c3f2b79507e3ff.dll
                            Detection:MAL
                            Classification:mal100.bank.troj.spyw.evad.winDLL@20/1@0/0
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 9
                            • Number of non-executed functions: 279
                            Cookbook Comments:
                            • Found application associated with file extension: .dll
                            • Override analysis time to 240s for rundll32

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • VT rate limit hit for: 7YtmCkMUx3.dll

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            C:\Users\Public\Documents\MM\svchos1.exetROeAyXq2X.exeGet hashmaliciousMimikatz, RunningRATBrowse
                              me.exeGet hashmaliciousRunningRATBrowse
                                gE4NVCZDRk.exeGet hashmaliciousBdaejec, RunningRATBrowse
                                  uHmFQqHIIA.exeGet hashmaliciousRunningRATBrowse
                                    ofR1Hd4NPM.exeGet hashmaliciousRunningRATBrowse
                                      9JQ3JboYdz.exeGet hashmaliciousRunningRATBrowse
                                        3B1TaPwSlt.exeGet hashmaliciousRunningRATBrowse
                                          2Syx0ZLsgo.exeGet hashmaliciousRunningRATBrowse
                                            I6A09pYeTA.exeGet hashmaliciousRunningRATBrowse
                                              ExeFile (24).exeGet hashmaliciousRunningRATBrowse

                                                Created / dropped Files

                                                C:\Users\Public\Documents\MM\svchos1.exe

                                                Download File
                                                Process:C:\Windows\SysWOW64\rundll32.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):61440
                                                Entropy (8bit):6.199746098562656
                                                Encrypted:false
                                                SSDEEP:1536:H9ykYCTdiHQKrFXmw2RQln5IUmDjoX6+:HlMHprF2nRQln5I
                                                MD5:889B99C52A60DD49227C5E485A016679
                                                SHA1:8FA889E456AA646A4D0A4349977430CE5FA5E2D7
                                                SHA-256:6CBE0E1F046B13B29BFA26F8B368281D2DDA7EB9B718651D5856F22CC3E02910
                                                SHA-512:08933106EAF338DD119C45CBF1F83E723AFF77CC0F8D3FC84E36253B1EB31557A54211D1D5D1CB58958188E32064D451F6C66A24B3963CCCD3DE07299AB90641
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Joe Sandbox View:
                                                • Filename: tROeAyXq2X.exe, Detection: malicious, Browse
                                                • Filename: me.exe, Detection: malicious, Browse
                                                • Filename: gE4NVCZDRk.exe, Detection: malicious, Browse
                                                • Filename: uHmFQqHIIA.exe, Detection: malicious, Browse
                                                • Filename: ofR1Hd4NPM.exe, Detection: malicious, Browse
                                                • Filename: 9JQ3JboYdz.exe, Detection: malicious, Browse
                                                • Filename: 3B1TaPwSlt.exe, Detection: malicious, Browse
                                                • Filename: 2Syx0ZLsgo.exe, Detection: malicious, Browse
                                                • Filename: I6A09pYeTA.exe, Detection: malicious, Browse
                                                • Filename: ExeFile (24).exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.....^...^...^.pb^...^.c._...^.c._...^...^c..^.c._...^.c._...^.c._...^.c.^...^.c._...^Rich...^........PE..L...9..j.................b...........a............@..........................@............@.............................................hg...................0..........T........................... ........................m..`....................text...La.......b.................. ..`.data................f..............@....idata...............h..............@..@.didat...............~..............@....rsrc...hg.......h..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):6.332860802416089
                                                TrID:
                                                • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                • Generic Win/DOS Executable (2004/3) 0.20%
                                                • DOS Executable Generic (2002/1) 0.20%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:7YtmCkMUx3.dll
                                                File size:1'269'760 bytes
                                                MD5:4068a0a6099bb556a4ed42265efdfeb1
                                                SHA1:1512394c8919d6790c307f638023c5e7ec18db68
                                                SHA256:48956128660f7a745aa918eac38e5baacdae1bc0809503f2a2c3f2b79507e3ff
                                                SHA512:2ec6049650e362150f3a1be55faf17ca3a5fc179aaca465c661c4c3de1e5e5a4f57f87eb1dcd19a2a025dfd29639e745e87730af67e1b4ac697d014ac5f722d0
                                                SSDEEP:24576:xsh4GJEk2cGtGMNBihr/abS73/iBtKB32Sttm7izM5GrkQPXHMtR1tD1bptTkRmw:oWr1PTkL
                                                TLSH:93455C43E2B64CA3D7D80034EC6AE7B677347A1C97F786737240EDD6B5A22907D2421A
                                                File Content Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.........q!_..r_..r_..r...r^..ri..rY..rx.dr]..r../re..r_..r...r0..r^..r0..r[..r0..r[..r$..rX..r...rX..ri..r]..ri..r]..r..@r[..r..Br@..

                                                File Icon

                                                Icon Hash:7ae282899bbab082

                                                Static PE Info

                                                General

                                                Entrypoint:0x1002d2eb
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x10000000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                DLL Characteristics:
                                                Time Stamp:0x670CDDEE [Mon Oct 14 09:01:34 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:6718574bfa82ab04bcaf82fa9136fc6c

                                                Entrypoint Preview

                                                Instruction
                                                push ebp
                                                mov ebp, esp
                                                push ebx
                                                mov ebx, dword ptr [ebp+08h]
                                                push esi
                                                mov esi, dword ptr [ebp+0Ch]
                                                push edi
                                                mov edi, dword ptr [ebp+10h]
                                                test esi, esi
                                                jne 00007F4AE0B7B8BBh
                                                cmp dword ptr [1012F214h], 00000000h
                                                jmp 00007F4AE0B7B8D8h
                                                cmp esi, 01h
                                                je 00007F4AE0B7B8B7h
                                                cmp esi, 02h
                                                jne 00007F4AE0B7B8D4h
                                                mov eax, dword ptr [10158640h]
                                                test eax, eax
                                                je 00007F4AE0B7B8BBh
                                                push edi
                                                push esi
                                                push ebx
                                                call eax
                                                test eax, eax
                                                je 00007F4AE0B7B8BEh
                                                push edi
                                                push esi
                                                push ebx
                                                call 00007F4AE0B7B7CAh
                                                test eax, eax
                                                jne 00007F4AE0B7B8B6h
                                                xor eax, eax
                                                jmp 00007F4AE0B7B900h
                                                push edi
                                                push esi
                                                push ebx
                                                call 00007F4AE0B6FA2Ah
                                                cmp esi, 01h
                                                mov dword ptr [ebp+0Ch], eax
                                                jne 00007F4AE0B7B8BEh
                                                test eax, eax
                                                jne 00007F4AE0B7B8E9h
                                                push edi
                                                push eax
                                                push ebx
                                                call 00007F4AE0B7B7A6h
                                                test esi, esi
                                                je 00007F4AE0B7B8B7h
                                                cmp esi, 03h
                                                jne 00007F4AE0B7B8D8h
                                                push edi
                                                push esi
                                                push ebx
                                                call 00007F4AE0B7B795h
                                                test eax, eax
                                                jne 00007F4AE0B7B8B5h
                                                and dword ptr [ebp+0Ch], eax
                                                cmp dword ptr [ebp+0Ch], 00000000h
                                                je 00007F4AE0B7B8C3h
                                                mov eax, dword ptr [10158640h]
                                                test eax, eax
                                                je 00007F4AE0B7B8BAh
                                                push edi
                                                push esi
                                                push ebx
                                                call eax
                                                mov dword ptr [ebp+0Ch], eax
                                                mov eax, dword ptr [ebp+0Ch]
                                                pop edi
                                                pop esi
                                                pop ebx
                                                pop ebp
                                                retn 000Ch
                                                jmp dword ptr [100B7424h]
                                                jmp dword ptr [100B7420h]
                                                jmp dword ptr [100B7418h]
                                                jmp dword ptr [100B73F4h]
                                                jmp dword ptr [100B73BCh]
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                jmp dword ptr [00000000h]

                                                Rich Headers

                                                Programming Language:
                                                • [ C ] VS98 (6.0) SP6 build 8804
                                                • [IMP] VS2005 build 50727
                                                • [C++] VS98 (6.0) SP6 build 8804
                                                • [ C ] VS98 (6.0) build 8168
                                                • [C++] VS98 (6.0) build 8168
                                                • [EXP] VC++ 6.0 SP5 build 8804
                                                • [LNK] VS98 (6.0) imp/exp build 8168

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xf97400x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xf70880x190.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1990000x10.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x19a0000x66a8.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0xb70000x754.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x97d6a0x98000484243794d383e0a45efe94968c87e99False0.4028207879317434data6.772762475501996IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rodata0x990000x2e500x30000ca3681ca0d1b13e402ba8d29971b5f2False0.28173828125data6.052273401613891IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rotext0x9c0000x1ae920x1b000feea7fb2aafa1df6f6a0eec408bdf924False0.14991138599537038data5.997790228248824IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0xb70000x427800x43000d1a6ba800ad183e46ec00014b6d8aadeFalse0.0963007229477612data3.585827865706803IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0xfa0000x9e7e00x32000b468714674751d9be34247aa7672e003False0.2993994140625data5.522901240831997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x1990000x100x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x19a0000x803e0x90006b35bb8326d6b6f119a625b7dee08e9eFalse0.5600043402777778data5.559794854272469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Imports

                                                DLLImport
                                                KERNEL32.dllProcess32First, GetSystemDirectoryA, TerminateProcess, OpenProcess, ExitProcess, GetVersion, DeviceIoControl, Beep, GetVersionExA, GetModuleFileNameA, WinExec, TerminateThread, GetTickCount, GetCommandLineA, FreeConsole, GetCurrentProcessId, GetConsoleProcessList, AttachConsole, GetWindowsDirectoryA, WideCharToMultiByte, MultiByteToWideChar, GlobalSize, QueryPerformanceFrequency, QueryPerformanceCounter, LoadLibraryW, GlobalMemoryStatusEx, GetDriveTypeA, ReleaseMutex, CreateMutexA, GetCurrentThread, GetEnvironmentVariableA, GetCurrentThreadId, CreatePipe, CopyFileA, lstrcpyW, Module32Next, lstrcmpiA, Module32First, CreateRemoteThread, GetProcessId, ResumeThread, OpenThread, Thread32Next, Thread32First, SuspendThread, Process32Next, GlobalMemoryStatus, GetComputerNameA, GetPrivateProfileStringA, SystemTimeToTzSpecificLocalTime, lstrcpynA, lstrcmpA, lstrcatA, CreateProcessA, GetProcAddress, lstrcpyA, CreateDirectoryA, GetLastError, DeleteFileA, GetCurrentProcess, IsWow64Process, SetFilePointer, WriteFile, CreateFileA, GetFileSize, ReadFile, lstrlenA, FreeLibrary, IsBadReadPtr, VirtualProtect, HeapReAlloc, HeapAlloc, GetProcessHeap, HeapFree, CancelIo, SetEvent, ResetEvent, CreateEventA, LocalAlloc, LocalReAlloc, LocalSize, LocalFree, Sleep, GetFileAttributesA, GetModuleHandleA, GetLocalTime, GlobalAlloc, GlobalLock, GlobalFree, GlobalUnlock, CreateThread, VirtualAlloc, EnterCriticalSection, LeaveCriticalSection, VirtualFree, DeleteCriticalSection, InitializeCriticalSection, InterlockedExchange, CreateToolhelp32Snapshot, GetFileAttributesExA, FileTimeToSystemTime, MoveFileA, SetFileAttributesA, RemoveDirectoryA, FindFirstFileA, FindNextFileA, FindClose, GetLogicalDriveStringsA, GetVolumeInformationA, GetPriorityClass, GetDiskFreeSpaceExA, WaitForSingleObject, CloseHandle, LoadLibraryA, GetSystemInfo
                                                USER32.dllSetRect, GetCursorPos, GetCursorInfo, PostMessageA, SetCursorPos, WindowFromPoint, SetCapture, MapVirtualKeyA, SystemParametersInfoA, ReleaseDC, BlockInput, DestroyCursor, LoadCursorA, GetDC, GetSystemMetrics, ChangeDisplaySettingsA, FindWindowA, ShowWindow, MoveWindow, GetWindowRect, SwapMouseButton, ExitWindowsEx, EnumWindows, GetKeyState, GetAsyncKeyState, GetForegroundWindow, GetWindowTextA, CharNextA, GetDesktopWindow, wsprintfA, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, GetWindowLongA, PostQuitMessage, SetWindowLongA, LoadIconA, SetClassLongA, DestroyWindow, SetFocus, GetWindowTextLengthA, SetWindowTextA, SetDlgItemTextA, CreateDialogIndirectParamA, GetDlgItem, SetWindowPos, OpenInputDesktop, GetDlgItemTextA, CloseDesktop, GetThreadDesktop, GetUserObjectInformationA, SetThreadDesktop, GetWindowThreadProcessId, WaitForInputIdle, GetClassNameA, GetWindow, GetLastInputInfo, IsIconic, MessageBoxA, IsWindowVisible, GetMessageA, IsDialogMessageA, TranslateMessage, SendMessageA, DispatchMessageA
                                                GDI32.dllGetDeviceCaps, CreateDIBSection, CreateCompatibleDC, DeleteObject, DeleteDC, BitBlt, GetRegionData, CombineRgn, CreateRectRgnIndirect, GetDIBits, CreateCompatibleBitmap, SelectObject
                                                ADVAPI32.dllRegOpenKeyA, GetTokenInformation, LookupAccountSidA, AbortSystemShutdownA, RegCloseKey, RegOpenKeyExA, GetUserNameA, CloseEventLog, ClearEventLogA, OpenEventLogA, RegSetValueExA, RegCreateKeyA, StartServiceA, CloseServiceHandle, OpenServiceA, OpenSCManagerA, SetServiceStatus, DeleteService, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AllocateAndInitializeSid, RegEnumValueA, RegEnumKeyExA, RegQueryValueExA, RegDeleteValueA, RegDeleteKeyA, RegQueryInfoKeyA, RegCreateKeyExA, UnlockServiceDatabase, ChangeServiceConfigA, LockServiceDatabase, ControlService, QueryServiceStatus, QueryServiceConfig2A, QueryServiceConfigA, EnumServicesStatusA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, CheckTokenMembership
                                                SHELL32.dllShellExecuteExA, SHGetFolderPathA, SHGetSpecialFolderPathA, SHGetFileInfoA, ShellExecuteA
                                                ole32.dllCoUninitialize, CoCreateInstance, CoInitialize
                                                OLEAUT32.dllSysFreeString
                                                MFC42.DLL
                                                MSVCRT.dll_adjust_fdiv, _initterm, _onexit, __dllonexit, ??1type_info@@UAE@XZ, _snprintf, swprintf, _splitpath, strncpy, atol, strncat, realloc, fgets, srand, time, isdigit, _iob, _access, wcstombs, mbstowcs, _errno, _wcsupr, _strcmpi, _itoa, _strnicmp, fprintf, sscanf, getenv, vsprintf, exit, __CxxFrameHandler, memmove, ceil, _ftol, strstr, wcslen, wcscpy, sprintf, printf, fclose, fopen, remove, atoi, free, malloc, strncmp, _CIpow, floor, strchr, tolower, _CxxThrowException, _stricmp, _except_handler3, strrchr, _strlwr, wcsstr, rand, system
                                                MSVCP60.dll??0_Lockit@std@@QAE@XZ, ??1_Lockit@std@@QAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z, ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z, ?_Xlen@std@@YAXXZ, ?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z, ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z, ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z, ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z, ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ?_Xran@std@@YAXXZ, ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z, ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z, ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ??0Init@ios_base@std@@QAE@XZ, ??1Init@ios_base@std@@QAE@XZ, ??0_Winit@std@@QAE@XZ, ??1_Winit@std@@QAE@XZ
                                                WINMM.dllmciSendStringA, waveInGetNumDevs
                                                WS2_32.dllgethostname, inet_addr, getsockname, bind, getpeername, accept, listen, sendto, recvfrom, ntohs, inet_ntoa, send, closesocket, recv, select, gethostbyname, connect, setsockopt, WSAIoctl, WSACleanup, WSAStartup, __WSAFDIsSet, ioctlsocket, socket, htons
                                                iphlpapi.dllGetIfTable
                                                dwmapi.dllDwmIsCompositionEnabled
                                                SHLWAPI.dllPathFindFileNameA, PathUnquoteSpacesA, PathRemoveArgsA, PathGetArgsA, SHDeleteKeyA
                                                WININET.dllInternetGetConnectedState, InternetReadFile, HttpSendRequestA, InternetOpenUrlA, HttpOpenRequestA, InternetOpenA, InternetConnectA, InternetCloseHandle, HttpQueryInfoA
                                                NETAPI32.dllNetUserSetInfo, NetUserAdd, NetUserGetLocalGroups, NetApiBufferFree, NetUserGetInfo, NetUserEnum, NetLocalGroupAddMembers, NetUserDel
                                                PSAPI.DLLGetProcessMemoryInfo, GetModuleFileNameExA
                                                WTSAPI32.dllWTSEnumerateSessionsA, WTSDisconnectSession, WTSLogoffSession, WTSQuerySessionInformationA, WTSFreeMemory, WTSQuerySessionInformationW

                                                Exports

                                                NameOrdinalAddress
                                                Shellex10x1001efd0

                                                Network Behavior

                                                No network behavior found

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:08:09:26
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\loaddll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:loaddll32.exe "C:\Users\user\Desktop\7YtmCkMUx3.dll"
                                                Imagebase:0x4b0000
                                                File size:126'464 bytes
                                                MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:1
                                                Start time:08:09:27
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff620390000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:3
                                                Start time:08:09:27
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7YtmCkMUx3.dll",#1
                                                Imagebase:0xd70000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:4
                                                Start time:08:09:27
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe C:\Users\user\Desktop\7YtmCkMUx3.dll,Shellex
                                                Imagebase:0xa0000
                                                File size:61'440 bytes
                                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000004.00000002.3880845609.000000001011E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:5
                                                Start time:08:09:27
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                Wow64 process (32bit):true
                                                Commandline:rundll32.exe "C:\Users\user\Desktop\7YtmCkMUx3.dll",#1
                                                Imagebase:0xa0000
                                                File size:61'440 bytes
                                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000005.00000002.3880843922.000000001011E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:6
                                                Start time:08:09:27
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                Imagebase:0xd70000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:08:09:27
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                Imagebase:0xd70000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:08:09:27
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                Imagebase:0xd70000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:08:09:27
                                                Start date:18/11/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:cmd /c md C:\Users\Public\Documents\MM
                                                Imagebase:0xd70000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:08:09:27
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff620390000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:08:09:27
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff620390000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:08:09:27
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff620390000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:13
                                                Start time:08:09:27
                                                Start date:18/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff620390000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:1%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:50%
                                                  Total number of Nodes:244
                                                  Total number of Limit Nodes:11
                                                  execution_graph 21795 1001efd0 12 API calls 21876 1001b660 GetModuleHandleA 21795->21876 21797 1001f1d6 21798 1001b660 3 API calls 21797->21798 21799 1001f258 21798->21799 21800 1001b660 3 API calls 21799->21800 21801 1001f2c9 21800->21801 21802 1001b660 3 API calls 21801->21802 21803 1001f3ed 21802->21803 21804 1001b660 3 API calls 21803->21804 21805 1001f54e 21804->21805 21806 1001b660 3 API calls 21805->21806 21807 1001f67b 21806->21807 21808 1001b660 3 API calls 21807->21808 21809 1001f729 21808->21809 21810 1001b660 3 API calls 21809->21810 21811 1001f7c3 21810->21811 21812 1001b660 3 API calls 21811->21812 21813 1001f80d 21812->21813 21814 1001b660 3 API calls 21813->21814 21815 1001f893 21814->21815 21816 1001b660 3 API calls 21815->21816 21817 1001f93e GetCurrentThreadId PostThreadMessageA 21816->21817 21818 1001f959 InitializeSecurityDescriptor SetSecurityDescriptorDacl GetCommandLineA CreateMutexA 21817->21818 21820 1001fa63 21818->21820 21821 1001fa52 GetLastError 21818->21821 21823 1001fe86 21820->21823 21824 1001fadf 21820->21824 21821->21820 21822 1001fec6 21821->21822 21880 1001ab20 21823->21880 21826 1001fc40 21824->21826 21827 1001faeb strstr 21824->21827 21826->21822 21829 1001fc4c 21826->21829 21830 1001fb07 Sleep 21827->21830 21831 1001fb18 21827->21831 21828 1001fea1 21833 1001feb5 Sleep 21828->21833 21834 1001fea8 21828->21834 21895 1001e440 15 API calls 21829->21895 21841 1001ef90 24 API calls 21830->21841 21890 1001fee0 OpenSCManagerA OpenServiceA CloseServiceHandle CloseServiceHandle CloseServiceHandle 21831->21890 21887 1001ef90 21833->21887 21898 1001e440 15 API calls 21834->21898 21837 1001fb22 21842 1001fbb6 sprintf 21837->21842 21843 1001fb2d 21837->21843 21840 1001fc5f 21840->21822 21848 1001fc98 sprintf 21840->21848 21841->21830 21892 1001e440 15 API calls 21842->21892 21850 1001fb52 OpenSCManagerA 21843->21850 21851 1001fba5 Sleep 21843->21851 21844 1001feb2 21844->21833 21847 1001fc15 21893 1001ff30 9 API calls 21847->21893 21852 1001fd01 21848->21852 21850->21851 21854 1001fb65 OpenServiceA 21850->21854 21856 1001ef90 24 API calls 21851->21856 21857 1001fe75 Sleep 21852->21857 21858 1001fd0a GetModuleFileNameA sprintf 21852->21858 21853 1001fc31 21894 1001ea60 9 API calls 21853->21894 21860 1001fba2 CloseServiceHandle 21854->21860 21861 1001fb7f StartServiceA 21854->21861 21856->21851 21866 1001ef90 24 API calls 21857->21866 21867 1001fdbc Sleep 21858->21867 21860->21851 21864 1001fba0 CloseServiceHandle 21861->21864 21865 1001fb8d CloseServiceHandle CloseServiceHandle 21861->21865 21863 1001fc39 ExitProcess 21864->21860 21891 1001ea60 9 API calls 21865->21891 21866->21857 21870 1001fe12 21867->21870 21869 1001fb99 ExitProcess 21896 1001e800 GetModuleHandleA LoadLibraryA GetProcAddress CloseHandle 21870->21896 21872 1001fe2d sprintf 21873 1001fe69 21872->21873 21897 1001ea60 9 API calls 21873->21897 21875 1001fe6e ExitProcess 21877 1001b670 LoadLibraryA 21876->21877 21878 1001b67b GetProcAddress 21876->21878 21877->21878 21879 1001b689 21877->21879 21878->21797 21879->21797 21899 10014700 LoadLibraryA GetProcAddress #823 #823 RegOpenKeyExA 21880->21899 21882 1001abc8 lstrlenA 21883 1001ac37 lstrlenA 21882->21883 21884 1001abd6 CreateFileA 21882->21884 21883->21828 21885 1001ac30 CloseHandle 21884->21885 21886 1001ac17 GetFileSize ReadFile 21884->21886 21885->21883 21886->21885 21927 1002bdb0 LoadLibraryA GetProcAddress 21887->21927 21889 1001efa7 WaitForSingleObject CloseHandle 21889->21833 21890->21837 21891->21869 21892->21847 21893->21853 21894->21863 21895->21840 21896->21872 21897->21875 21898->21844 21900 10014881 21899->21900 21901 10014899 21899->21901 21925 10014c12 RegCloseKey RegCloseKey 21900->21925 21904 10014a03 RegQueryValueExA 21901->21904 21905 100148c2 RegQueryValueExA 21901->21905 21906 10014ba2 wsprintfA 21901->21906 21907 10014908 RegQueryValueExA 21901->21907 21908 10014acc RegEnumValueA 21901->21908 21909 10014a30 RegEnumKeyExA 21901->21909 21910 10014bf5 lstrcatA 21901->21910 21911 10014bcf wsprintfA 21901->21911 21912 10014b58 wsprintfA 21901->21912 21913 10014b7d wsprintfA 21901->21913 21914 100149bc RegQueryValueExA 21901->21914 21918 100148ac 21901->21918 21923 100148f2 21901->21923 21904->21923 21905->21923 21906->21910 21919 10014934 21907->21919 21907->21923 21922 10014b44 21908->21922 21908->21923 21921 10014a78 wsprintfA 21909->21921 21909->21923 21910->21882 21911->21910 21912->21910 21913->21910 21920 100149e8 wsprintfA 21914->21920 21914->21923 21915 10014894 #825 #825 21915->21882 21918->21904 21918->21905 21918->21906 21918->21907 21918->21910 21918->21911 21918->21912 21918->21913 21918->21914 21918->21923 21919->21923 21924 1001494e strncat strncat strchr 21919->21924 21920->21923 21921->21909 21922->21906 21922->21910 21922->21911 21922->21912 21922->21913 21926 10014c12 RegCloseKey RegCloseKey 21923->21926 21924->21919 21925->21915 21926->21915 21928 1002bdf3 CreateThread LoadLibraryA GetProcAddress 21927->21928 21929 1002be35 CloseHandle 21928->21929 21930 1002bcb0 21928->21930 21929->21889 21936 10010ca0 21930->21936 21932 1002bcee LoadLibraryA GetProcAddress 21933 1002bd5e 21932->21933 21934 1002bd69 21933->21934 21937 1002bfa0 14 API calls 21933->21937 21936->21932 21937->21934 21938 1002d2eb 21939 1002d2fe 21938->21939 21944 1002d307 21938->21944 21941 1002d32f 21939->21941 21953 100214b0 21939->21953 21940 1002d323 21967 1002d240 malloc _initterm free 21940->21967 21944->21939 21944->21940 21944->21941 21945 1002d32b 21945->21939 21947 1002d34f 21947->21941 21948 1002d358 21947->21948 21969 1002d240 malloc _initterm free 21948->21969 21949 1002d347 21968 1002d240 malloc _initterm free 21949->21968 21952 1002d360 21952->21941 21954 10021588 21953->21954 21955 100214be 21953->21955 21954->21941 21954->21947 21954->21949 21970 10021410 _access 21955->21970 21957 100214c3 _access 21958 100214e0 WinExec _access 21957->21958 21959 10021521 Sleep 21957->21959 21958->21959 21961 10021500 WinExec Sleep _access 21958->21961 21993 10020f70 21959->21993 21961->21959 21961->21961 21962 1002152d CreateThread 21963 10021551 CreateThread 21962->21963 21964 1002154e CloseHandle 21962->21964 22077 10020fd0 96 API calls 21962->22077 21965 10021566 CloseHandle 21963->21965 21966 10021569 Shellex 21963->21966 22076 100211c0 41 API calls 21963->22076 21964->21963 21965->21966 21966->21954 21967->21945 21968->21947 21969->21952 21971 10021434 21970->21971 21972 1002142b 21970->21972 21971->21957 21998 100209d0 AllocateAndInitializeSid 21972->21998 21975 1002143d GetModuleFileNameA 21975->21971 21976 10021453 21975->21976 21977 1002145b ShellExecuteExA 21976->21977 21978 10021497 GetLastError 21977->21978 21979 1002149f exit 21977->21979 21978->21977 21980 100214b0 21979->21980 21981 10021588 21980->21981 21982 10021410 123 API calls 21980->21982 21981->21957 21983 100214c3 _access 21982->21983 21984 100214e0 WinExec _access 21983->21984 21985 10021521 Sleep 21983->21985 21984->21985 21987 10021500 WinExec Sleep _access 21984->21987 21986 10020f70 8 API calls 21985->21986 21988 1002152d CreateThread 21986->21988 21987->21985 21987->21987 21989 10021551 CreateThread 21988->21989 21990 1002154e CloseHandle 21988->21990 22024 10020fd0 _access 21988->22024 21991 10021566 CloseHandle 21989->21991 21992 10021569 Shellex 21989->21992 22001 100211c0 _access 21989->22001 21990->21989 21991->21992 21992->21981 22073 10020f30 GetModuleFileNameA 21993->22073 21995 10020f7a 21996 10020f81 ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ 21995->21996 21997 10020f9f GetLastError ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@ 21995->21997 21996->21962 21997->21962 21999 10020a36 21998->21999 22000 10020a1a CheckTokenMembership FreeSid 21998->22000 21999->21971 21999->21975 22000->21999 22002 100212e1 Sleep CreateFileA 22001->22002 22003 100211f8 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 22001->22003 22004 10021310 MessageBoxA 22002->22004 22005 10021327 GetFileSize 22002->22005 22006 10021228 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 22003->22006 22007 1002124c ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 22003->22007 22009 100213f0 22004->22009 22010 10021335 MessageBoxA 22005->22010 22011 1002134e VirtualAlloc 22005->22011 22006->22007 22069 10020810 22 API calls 22007->22069 22012 100213e9 CloseHandle 22010->22012 22013 10021369 MessageBoxA 22011->22013 22014 1002137d ReadFile 22011->22014 22012->22009 22013->22012 22016 100213c7 MessageBoxA VirtualFree 22014->22016 22017 1002138e 22014->22017 22015 1002128d 22018 100212a5 22015->22018 22020 100212ab #825 22015->22020 22016->22012 22017->22016 22019 10021393 CloseHandle 22017->22019 22018->22002 22021 100212d8 #825 22018->22021 22023 100212d2 22018->22023 22022 100213a0 VirtualFree 22019->22022 22020->22018 22021->22002 22023->22002 22025 10021123 22024->22025 22026 10021009 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 22024->22026 22027 100209d0 3 API calls 22025->22027 22028 10021063 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 22026->22028 22029 1002103f ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 22026->22029 22030 10021128 22027->22030 22070 10020810 22 API calls 22028->22070 22029->22028 22032 1002114e GetModuleFileNameA 22030->22032 22033 1002112c 22030->22033 22037 10021163 22032->22037 22038 10021131 22032->22038 22071 10020c20 41 API calls 22033->22071 22035 100210b4 22036 100210cd 22035->22036 22040 100210d3 #825 22035->22040 22039 10021118 Sleep 22036->22039 22042 1002110f #825 22036->22042 22046 10021109 22036->22046 22041 1002116e ShellExecuteExA 22037->22041 22039->22025 22040->22036 22043 100211a6 GetLastError 22041->22043 22044 100211ae exit 22041->22044 22042->22039 22043->22041 22045 100211c0 _access 22044->22045 22047 100212e1 Sleep CreateFileA 22045->22047 22048 100211f8 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 22045->22048 22046->22039 22049 10021310 MessageBoxA 22047->22049 22050 10021327 GetFileSize 22047->22050 22051 10021228 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 22048->22051 22052 1002124c ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 22048->22052 22054 100213f0 22049->22054 22055 10021335 MessageBoxA 22050->22055 22056 1002134e VirtualAlloc 22050->22056 22051->22052 22072 10020810 22 API calls 22052->22072 22057 100213e9 CloseHandle 22055->22057 22058 10021369 MessageBoxA 22056->22058 22059 1002137d ReadFile 22056->22059 22057->22054 22058->22057 22060 100213c7 MessageBoxA VirtualFree 22059->22060 22061 1002138e 22059->22061 22060->22057 22061->22060 22064 10021393 CloseHandle 22061->22064 22062 1002128d 22063 100212a5 22062->22063 22065 100212ab #825 22062->22065 22063->22047 22066 100212d8 #825 22063->22066 22068 100212d2 22063->22068 22067 100213a0 VirtualFree 22064->22067 22065->22063 22066->22047 22068->22047 22069->22015 22070->22035 22071->22038 22072->22062 22074 10020f53 CopyFileA 22073->22074 22075 10020f4c 22073->22075 22074->21995 22075->21995

                                                  Executed Functions

                                                  Function 1001EFD0 Relevance: 417.3, APIs: 40, Strings: 198, Instructions: 780stringservicesleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 1001efd0-1001fa50 #823 lstrcpyA * 11 call 1001b660 * 11 GetCurrentThreadId PostThreadMessageA InitializeSecurityDescriptor SetSecurityDescriptorDacl GetCommandLineA CreateMutexA 25 1001fa63-1001faba 0->25 26 1001fa52-1001fa5d GetLastError 0->26 29 1001fad0-1001fad9 25->29 30 1001fabc-1001faca 25->30 26->25 27 1001fec6-1001fed2 26->27 31 1001fe86-1001fea6 call 1001ab20 29->31 32 1001fadf-1001fae5 29->32 30->29 41 1001feb5 31->41 42 1001fea8-1001feb2 call 1001e440 31->42 34 1001fc40-1001fc46 32->34 35 1001faeb-1001fb05 strstr 32->35 34->27 37 1001fc4c-1001fc92 call 1001e440 34->37 38 1001fb07 35->38 39 1001fb18-1001fb27 call 1001fee0 35->39 37->27 60 1001fc98-1001fd04 sprintf 37->60 44 1001fb0d-1001fb16 Sleep call 1001ef90 38->44 50 1001fbb6-1001fc3a sprintf call 1001e440 call 1001ff30 call 1001ea60 ExitProcess 39->50 51 1001fb2d-1001fb50 39->51 47 1001febb-1001febf Sleep call 1001ef90 41->47 42->41 56 1001fec4 47->56 62 1001fb52-1001fb63 OpenSCManagerA 51->62 63 1001fba5 51->63 56->47 69 1001fe75 60->69 70 1001fd0a-1001fe6f GetModuleFileNameA sprintf Sleep call 1001e800 sprintf call 1001ea60 ExitProcess 60->70 62->63 66 1001fb65-1001fb7d OpenServiceA 62->66 67 1001fbab-1001fbb4 Sleep call 1001ef90 63->67 72 1001fba2-1001fba3 CloseServiceHandle 66->72 73 1001fb7f-1001fb8b StartServiceA 66->73 74 1001fe7b-1001fe84 Sleep call 1001ef90 69->74 72->63 77 1001fba0 CloseServiceHandle 73->77 78 1001fb8d-1001fb9a CloseServiceHandle * 2 call 1001ea60 ExitProcess 73->78 77->72
                                                  APIs
                                                  • #823.MFC42(00000849), ref: 1001EFDF
                                                  • lstrcpyA.KERNEL32(27.124.13.32,00000000), ref: 1001F006
                                                  • lstrcpyA.KERNEL32(1011EAFC,0000012C), ref: 1001F014
                                                  • lstrcpyA.KERNEL32(Default,00000260), ref: 1001F022
                                                  • lstrcpyA.KERNEL32(1.0,00000292), ref: 1001F030
                                                  • lstrcpyA.KERNEL32(1011EC82,000002B2), ref: 1001F03E
                                                  • lstrcpyA.KERNEL32(1011ECE6,00000316), ref: 1001F04C
                                                  • lstrcpyA.KERNEL32(1011ED66,00000396), ref: 1001F05A
                                                  • lstrcpyA.KERNEL32(1011EE66,00000496), ref: 1001F068
                                                  • lstrcpyA.KERNEL32(1011EF78,000005A8), ref: 1001F076
                                                  • lstrcpyA.KERNEL32(1011EFDC,0000060C), ref: 1001F084
                                                  • lstrcpyA.KERNEL32(1011F018,00000648), ref: 1001F092
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,774C83C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • GetCurrentThreadId.KERNEL32 ref: 1001F94E
                                                  • PostThreadMessageA.USER32(00000000,?,?,?,?,?,?), ref: 1001F955
                                                  • InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?,?,?,?), ref: 1001F973
                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?), ref: 1001F987
                                                  • GetCommandLineA.KERNEL32 ref: 1001F9B1
                                                  • CreateMutexA.KERNELBASE(?,00000000,00000000), ref: 1001FA43
                                                  • GetLastError.KERNEL32 ref: 1001FA52
                                                  • strstr.MSVCRT ref: 1001FAFA
                                                  • Sleep.KERNEL32(00000032,?,?,?,?,?,?,?,?), ref: 1001FB0F
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1001FB59
                                                  • OpenServiceA.ADVAPI32(00000000,1011EC82,00000010), ref: 1001FB6D
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1001FB82
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FB8F
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FB92
                                                  • ExitProcess.KERNEL32 ref: 1001FB9A
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FBA0
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001FBA3
                                                  • ExitProcess.KERNEL32 ref: 1001FC3A
                                                  • sprintf.MSVCRT ref: 1001FC05
                                                    • Part of subcall function 1001E440: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000,1011EF78,00000000,0000005C), ref: 1001E484
                                                    • Part of subcall function 1001E440: GetLocalTime.KERNEL32(?), ref: 1001E4CE
                                                    • Part of subcall function 1001E440: sprintf.MSVCRT ref: 1001E599
                                                  • Sleep.KERNEL32(00000032), ref: 1001FBAD
                                                    • Part of subcall function 1001EF90: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,774D0F00,1001FEC4), ref: 1001EFAF
                                                    • Part of subcall function 1001EF90: CloseHandle.KERNEL32(00000000,?,?,?,?,?,774D0F00,1001FEC4,?,?,?,?,?,?,?,?), ref: 1001EFB6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$HandleService$Close$CreateDescriptorExitOpenProcessSecuritySleepThreadsprintf$#823AddressCommandCurrentDaclErrorFileInitializeLastLibraryLineLoadLocalManagerMessageModuleMutexObjectPostProcSingleStartTimeWaitstrstr
                                                  • String ID: -acsi$%$%$%$%$%$%$.$.$1.0$2$2$2$2$27.124.13.32$3$3$A$A$A$A$A$A$A$A$A$A$A$A$A$A$C$C$D$D$D$D$Default$E$E$E$E$F$F$F$F$G$G$G$G$Global\$I$I$K$L$L$M$M$N$P$P$R$S$S$S$S$S$S$S$S$T$V$a$a$a$a$a$a$a$a$a$b$b$c$c$c$c$c$d$d$d$g$g$g$g$g$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$o$o$o$open$p$p$p$p$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$v$v$v$x$y
                                                  • API String ID: 351596864-2051936253
                                                  • Opcode ID: 883ccdff635accb15a3438774b43736b792bf4128a22084744ad4c2a95e8cc9c
                                                  • Instruction ID: b4a9aafdaf77aaaa37ed98e4af6ccde984e3ddeee7ec680cf4f0b233b2d3cfa1
                                                  • Opcode Fuzzy Hash: 883ccdff635accb15a3438774b43736b792bf4128a22084744ad4c2a95e8cc9c
                                                  • Instruction Fuzzy Hash: B782057050C3C0DDE332C7688848BDFBED5ABA6708F48499DE5CC4A292D7BA5648C767
                                                  Function 10014700 Relevance: 63.4, APIs: 23, Strings: 13, Instructions: 428libraryregistryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 91 10014700-1001487f LoadLibraryA GetProcAddress #823 * 2 RegOpenKeyExA 92 10014881-10014894 call 10014c12 91->92 93 10014899-1001489f 91->93 114 10014c28-10014c53 #825 * 2 92->114 94 100148a5 93->94 95 100149ab-100149b7 call 10014c12 93->95 94->95 98 10014a03-10014a29 RegQueryValueExA 94->98 99 100148c2-100148ec RegQueryValueExA 94->99 100 10014ba2-10014bcd wsprintfA 94->100 101 100149a4 94->101 102 10014908-10014932 RegQueryValueExA 94->102 103 100148ac-100148b5 94->103 104 10014acc-10014b3e RegEnumValueA 94->104 105 10014bcf-10014bd4 94->105 106 10014a30-10014a72 RegEnumKeyExA 94->106 107 10014bf5-10014c0d lstrcatA 94->107 108 10014bd6 94->108 109 10014b58-10014b7b wsprintfA 94->109 110 10014b7d-10014ba0 wsprintfA 94->110 111 100149bc-100149e6 RegQueryValueExA 94->111 95->114 98->95 120 10014a2b 98->120 99->95 116 100148f2-10014906 call 10010c70 99->116 100->107 101->95 102->95 117 10014934-10014943 102->117 103->95 115 100148bb 103->115 104->95 122 10014b44-10014b4b 104->122 113 10014bdb-10014bf2 wsprintfA 105->113 106->95 121 10014a78-10014ac7 wsprintfA 106->121 108->113 109->107 110->107 111->95 119 100149e8-10014a01 wsprintfA 111->119 113->107 115->95 115->98 115->99 115->100 115->102 115->105 115->107 115->108 115->109 115->110 115->111 129 10014986-100149a2 116->129 124 10014949-1001494c 117->124 119->101 120->101 121->106 122->107 125 10014b51 122->125 127 10014980 124->127 128 1001494e-1001497e strncat * 2 strchr 124->128 125->100 125->105 125->107 125->108 125->109 125->110 127->129 128->124 129->101
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                  • #823.MFC42(?), ref: 10014763
                                                  • #823.MFC42(?,?), ref: 100147DA
                                                  • RegOpenKeyExA.KERNELBASE(00000000,1011EF78,00000000,00020019,?), ref: 1001487A
                                                    • Part of subcall function 10014C12: RegCloseKey.ADVAPI32(00000000,100149B7), ref: 10014C1C
                                                    • Part of subcall function 10014C12: RegCloseKey.ADVAPI32(?), ref: 10014C25
                                                  • #825.MFC42(?), ref: 10014C2F
                                                  • #825.MFC42(?,?), ref: 10014C38
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823#825Close$AddressLibraryLoadOpenProc
                                                  • String ID: %-24s %-$%-24s %-15$'%','-','2','4','s',' ','%','-','1','5','s',' ','0','x','%','x','(','%','d',')',' ','','r','','n','$15s $ADVAPI32.dll$REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$RegOpenKeyExA$[%s]$s %s
                                                  • API String ID: 625772149-2764046103
                                                  • Opcode ID: 0024f7a14ccc40860d22aef0d45ff9c672fe43e6c44d1ee7db042c9b09f00cf4
                                                  • Instruction ID: 6f0be5dfbe458e84bf84f3ea48d1999a7ba48aff042a9fed31ad65e4978857f0
                                                  • Opcode Fuzzy Hash: 0024f7a14ccc40860d22aef0d45ff9c672fe43e6c44d1ee7db042c9b09f00cf4
                                                  • Instruction Fuzzy Hash: D2E1A0B29005189BDB14CFA8CC84AEFB7B9FB88310F554359F61AA72D0DB759E44CB90
                                                  Function 10021410 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 126sleepprocessthreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • _access.MSVCRT ref: 1002141D
                                                    • Part of subcall function 100209D0: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10020A10
                                                    • Part of subcall function 100209D0: CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 10020A25
                                                    • Part of subcall function 100209D0: FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10020A30
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10021449
                                                  • ShellExecuteExA.SHELL32(?), ref: 10021491
                                                  • GetLastError.KERNEL32 ref: 10021497
                                                  • exit.MSVCRT ref: 100214A1
                                                  • _access.MSVCRT ref: 100214D0
                                                  • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 100214ED
                                                  • _access.MSVCRT ref: 100214F6
                                                  • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 10021507
                                                  • Sleep.KERNEL32(000003E8), ref: 1002150E
                                                  • _access.MSVCRT ref: 10021517
                                                  • Sleep.KERNELBASE(000001F4,?,?), ref: 10021526
                                                  • CreateThread.KERNELBASE(00000000,00000000,10020FD0,00000000,00000000,00000000), ref: 10021542
                                                  • CloseHandle.KERNELBASE(00000000), ref: 1002154F
                                                  • CreateThread.KERNELBASE(00000000,00000000,100211C0,00000000,00000000,00000000), ref: 10021560
                                                  • CloseHandle.KERNEL32(00000000), ref: 10021567
                                                  • Shellex.7YTMCKMUX3 ref: 1002157D
                                                    • Part of subcall function 1001EFD0: #823.MFC42(00000849), ref: 1001EFDF
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(27.124.13.32,00000000), ref: 1001F006
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EAFC,0000012C), ref: 1001F014
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(Default,00000260), ref: 1001F022
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1.0,00000292), ref: 1001F030
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EC82,000002B2), ref: 1001F03E
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011ECE6,00000316), ref: 1001F04C
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011ED66,00000396), ref: 1001F05A
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EE66,00000496), ref: 1001F068
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EF78,000005A8), ref: 1001F076
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011EFDC,0000060C), ref: 1001F084
                                                    • Part of subcall function 1001EFD0: lstrcpyA.KERNEL32(1011F018,00000648), ref: 1001F092
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$_access$CloseCreateExecHandleSleepThread$#823AllocateCheckErrorExecuteFileFreeInitializeLastMembershipModuleNameShellShellexTokenexit
                                                  • String ID: 27.124.13.32$<$C:\Users\Public\Documents\MM$C:\Users\Public\Documents\MM\svchos1.exe$cmd /c md C:\Users\Public\Documents\MM$runas
                                                  • API String ID: 2771109159-2199693279
                                                  • Opcode ID: 36aad503169ee1274fc9c4cbfcf42a4ace327da77712f7eec421170d089ec54c
                                                  • Instruction ID: dc3db40d039de9abc25196edd90fb29248c241405145caf5ffe01ce8b5589764
                                                  • Opcode Fuzzy Hash: 36aad503169ee1274fc9c4cbfcf42a4ace327da77712f7eec421170d089ec54c
                                                  • Instruction Fuzzy Hash: CE310935644315A7F620EB78AC81FCA3694EF947A0F640625F718BB1D0DBB4A84446A6
                                                  Function 1001AB20 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 92filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001ABCC
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC0A
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC1A
                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC2A
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC31
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00000000,1011EF78,00000000,00000000), ref: 1001AC38
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$#823lstrlen$AddressCloseCreateHandleLibraryLoadProcReadSize
                                                  • String ID: C:\ProgramData\Microsoft Drive\Mark.sys$M$T$TGByte\Setup$a$e$i$k$m$r
                                                  • API String ID: 1069036285-2757848780
                                                  • Opcode ID: 609c1d4d3e64c279bb3e05bdc0d160624767e379e680bce48e43df6b4370bf5c
                                                  • Instruction ID: 3141875a0b5f935918f5a9fe467541037c1485cf519d2f8b674b7d8fd7142dc0
                                                  • Opcode Fuzzy Hash: 609c1d4d3e64c279bb3e05bdc0d160624767e379e680bce48e43df6b4370bf5c
                                                  • Instruction Fuzzy Hash: 4631B831108790AFE311CB28CC54B9BBBD9EBC9704F444A1CFA99572D1D7B66A04CB66
                                                  Function 100214B0 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 75sleepprocessthreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 10021410: _access.MSVCRT ref: 1002141D
                                                  • _access.MSVCRT ref: 100214D0
                                                  • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 100214ED
                                                  • _access.MSVCRT ref: 100214F6
                                                  • WinExec.KERNEL32(cmd /c md C:\Users\Public\Documents\MM,00000000), ref: 10021507
                                                  • Sleep.KERNEL32(000003E8), ref: 1002150E
                                                  • _access.MSVCRT ref: 10021517
                                                  • Sleep.KERNELBASE(000001F4,?,?), ref: 10021526
                                                  • CreateThread.KERNELBASE(00000000,00000000,10020FD0,00000000,00000000,00000000), ref: 10021542
                                                  • CloseHandle.KERNELBASE(00000000), ref: 1002154F
                                                  • CreateThread.KERNELBASE(00000000,00000000,100211C0,00000000,00000000,00000000), ref: 10021560
                                                  • CloseHandle.KERNEL32(00000000), ref: 10021567
                                                  • Shellex.7YTMCKMUX3 ref: 1002157D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _access$CloseCreateExecHandleSleepThread$Shellex
                                                  • String ID: 27.124.13.32$C:\Users\Public\Documents\MM$cmd /c md C:\Users\Public\Documents\MM
                                                  • API String ID: 4276510029-3007588180
                                                  • Opcode ID: a094af8185cbb26657eb1ca2694d812e176906951f3417b68c3b962eaba4071f
                                                  • Instruction ID: 6c4449b5f383012f7d3d31629a269bb481a624e3aef786025713a4ea38c8835e
                                                  • Opcode Fuzzy Hash: a094af8185cbb26657eb1ca2694d812e176906951f3417b68c3b962eaba4071f
                                                  • Instruction Fuzzy Hash: 2411CA39B84329B6F520E7B9AC82FDE2544DB907A0F650671F7187F1C1DAB4BC4046AA
                                                  Function 1002BDB0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 54libraryloaderthreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,1011EF78,774D0F00,0000005C,00000000,00000000,774D0F00,1001FEC4), ref: 1002BDDE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BDE7
                                                  • CreateThread.KERNELBASE(?,?,1002BCB0,?,?,?), ref: 1002BE15
                                                  • LoadLibraryA.KERNEL32(KERNEL32.DLL,WaitForSingleObject,?,?,?,?,?,?,?,?,?), ref: 1002BE27
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BE2A
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 1002BE3A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$CloseCreateHandleThread
                                                  • String ID: CreateEventA$KERNEL32.DLL$KERNEL32.dll$WaitForSingleObject
                                                  • API String ID: 2992130774-1666596002
                                                  • Opcode ID: 0f35f5f8818eca1f23aacf183ac02aacaaf457b8b67bb992b8442780b7d0da13
                                                  • Instruction ID: 98031d5709b35561a6933397cec99d6678911232c04989ad1de3c6a629968032
                                                  • Opcode Fuzzy Hash: 0f35f5f8818eca1f23aacf183ac02aacaaf457b8b67bb992b8442780b7d0da13
                                                  • Instruction Fuzzy Hash: 8E111E75608355AFD600EFA88C84F9BBBE8EBCC354F544A0DF698D3351C674E9058BA2
                                                  Function 10020F70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 28COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 10020F30: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10020F42
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EB1A3D8,1011FA90,?,?,1002152D), ref: 10020F8C
                                                  • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,?,?,1002152D), ref: 10020F93
                                                  • GetLastError.KERNEL32(?,?,1002152D), ref: 10020F9F
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EB1A3D8,1011FA78,00000000,?,?,1002152D), ref: 10020FB2
                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z.MSVCP60(?,?,?,?,1002152D), ref: 10020FBD
                                                  • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,?,?,?,?,1002152D), ref: 10020FC4
                                                  Strings
                                                  • C:\Users\Public\Documents\MM\svchos1.exe, xrefs: 10020F70
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: U?$char_traits@$V?$basic_ostream@$??6std@@?endl@std@@D@std@@@0@D@std@@@1@V10@V21@@$??6?$basic_ostream@D@std@@@std@@ErrorFileLastModuleNameV01@
                                                  • String ID: C:\Users\Public\Documents\MM\svchos1.exe
                                                  • API String ID: 481592904-2345221083
                                                  • Opcode ID: 11c2651b4c957b662908a6a8ac08819276dd940225fc1f4fbb4c02f7e860f6d8
                                                  • Instruction ID: 9191cda62355793243e74b4be4f538ad042f30efc769aff6ca936ed64aa651f9
                                                  • Opcode Fuzzy Hash: 11c2651b4c957b662908a6a8ac08819276dd940225fc1f4fbb4c02f7e860f6d8
                                                  • Instruction Fuzzy Hash: 9EE065B8A103106BE745A7F4AC8D9AA37D8FF4050670C1A78FD0EE6161EB39D2149711
                                                  Function 10020F30 Relevance: 3.0, APIs: 2, Instructions: 18fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 184 10020f30-10020f4a GetModuleFileNameA 185 10020f53-10020f6e CopyFileA 184->185 186 10020f4c-10020f52 184->186
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10020F42
                                                  • CopyFileA.KERNEL32(00000000,?,00000000), ref: 10020F62
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CopyModuleName
                                                  • String ID:
                                                  • API String ID: 4108865673-0
                                                  • Opcode ID: 8b9eeeda643a368c08ce189f1b931563e6753a19753fcbcbb6e14da0ee54dd1c
                                                  • Instruction ID: 93f4a3cd88c2ae214515ddcb3b57ab60d0dfeb708720a14bb37e431ebb366a02
                                                  • Opcode Fuzzy Hash: 8b9eeeda643a368c08ce189f1b931563e6753a19753fcbcbb6e14da0ee54dd1c
                                                  • Instruction Fuzzy Hash: BCE012F95443006BF314DB58DCC6FE636A8BB80B00FC44918F79C851D0E6F59598C662
                                                  Function 10014C12 Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 187 10014c12-10014c27 RegCloseKey * 2
                                                  APIs
                                                  • RegCloseKey.ADVAPI32(00000000,100149B7), ref: 10014C1C
                                                  • RegCloseKey.ADVAPI32(?), ref: 10014C25
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: 2d25b05425eaf0d76969a3d827c9af328c302ad55e3d4ae73cc7dce2a4c3e829
                                                  • Instruction ID: cb428774d1c23af65b3502e581b01568c295d1083760601ce9be51a3606d3d50
                                                  • Opcode Fuzzy Hash: 2d25b05425eaf0d76969a3d827c9af328c302ad55e3d4ae73cc7dce2a4c3e829
                                                  • Instruction Fuzzy Hash: 8BB09B759240389BDF54DB64DC449C937687B48200B050586B51CA3150C931AD808F90

                                                  Non-executed Functions

                                                  Function 1000A580 Relevance: 220.0, APIs: 110, Strings: 15, Instructions: 1298memorylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LocalAlloc.KERNEL32(00000040,00000400), ref: 1000A591
                                                  • LoadLibraryA.KERNEL32 ref: 1000A5A9
                                                  • GetProcAddress.KERNEL32(00000000,AllocateAndGetTcpExTableFromStack), ref: 1000A5C1
                                                  • GetProcAddress.KERNEL32(00000000,AllocateAndGetUdpExTableFromStack), ref: 1000A5CB
                                                  • GetProcAddress.KERNEL32(00000000,InternalGetTcpTable2), ref: 1000A5E7
                                                  • GetProcessHeap.KERNEL32(00000001), ref: 1000A602
                                                  • GetProcessHeap.KERNEL32(00000002,00000002), ref: 1000AD8C
                                                  • GetProcessHeap.KERNEL32(00000002,00000002), ref: 1000ADAD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHeapProcProcess$AllocLibraryLoadLocal
                                                  • String ID: %s:%u$*.*.*.*:*$AllocateAndGetTcpExTableFromStack$AllocateAndGetUdpExTableFromStack$CLOSE_WAIT$FIN_WAIT1$FIN_WAIT2$InternalGetTcpTable2$InternalGetUdpTableWithOwnerPid$LAST_ACK$TIME_WAIT$[TCP]$[UDP]$iphlpapi.dll$Mw
                                                  • API String ID: 370057222-3373319336
                                                  • Opcode ID: 519bc66bccf35325d0b58bf220eed18991c6d328836e432961e0ea9d9299cabc
                                                  • Instruction ID: 3878becebeafeda62e551408519d1494f05c47cd3e4fb1777d1cfee609c89dcd
                                                  • Opcode Fuzzy Hash: 519bc66bccf35325d0b58bf220eed18991c6d328836e432961e0ea9d9299cabc
                                                  • Instruction Fuzzy Hash: 53A2C1766083159FC324CF28CC449ABB7E5FBC9710F554A2DF94A93281DA74ED0ACB92
                                                  Function 1002A260 Relevance: 201.8, APIs: 29, Strings: 86, Instructions: 535registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32 ref: 1002A387
                                                  • RegQueryValueExA.ADVAPI32(?,~MHz,00000000,00000000,?,?), ref: 1002A3B6
                                                  • RegCloseKey.ADVAPI32(?), ref: 1002A3C1
                                                  • GetSystemInfo.KERNEL32(?), ref: 1002A3CF
                                                  • wsprintfA.USER32 ref: 1002A3F8
                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000043,00000000,00000001,?), ref: 1002A551
                                                  • RegQueryValueExA.ADVAPI32(00000001,ProcessorNameString,00000000,?,?,00000043), ref: 1002A59F
                                                  • RegCloseKey.ADVAPI32(?), ref: 1002A5EF
                                                  • GetComputerNameA.KERNEL32(?,secorPlartneC), ref: 1002A645
                                                    • Part of subcall function 1002A180: WTSQuerySessionInformationA.WTSAPI32(00000000,000000FF,00000005,?,?,?,77068400,?), ref: 1002A19F
                                                    • Part of subcall function 1002A180: WTSFreeMemory.WTSAPI32(?,00000000,000000FF,00000005,?,?,?,77068400,?), ref: 1002A1D0
                                                  • GetTickCount.KERNEL32 ref: 1002A65B
                                                  • wsprintfA.USER32 ref: 1002A6AB
                                                  • GetDC.USER32(00000000), ref: 1002A6B2
                                                  • GetDeviceCaps.GDI32(00000000,00000075), ref: 1002A6C3
                                                  • GetDeviceCaps.GDI32(00000000,00000076), ref: 1002A6C9
                                                  • wsprintfA.USER32 ref: 1002A6D9
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 1002A6E1
                                                  • wsprintfA.USER32 ref: 1002A705
                                                  • wsprintfA.USER32 ref: 1002A727
                                                  • wsprintfA.USER32 ref: 1002A740
                                                  • GetCommandLineA.KERNEL32 ref: 1002A745
                                                  • wsprintfA.USER32 ref: 1002A759
                                                  • GetUserNameA.ADVAPI32(?,?), ref: 1002A773
                                                  • wsprintfA.USER32 ref: 1002A807
                                                  • wsprintfA.USER32 ref: 1002A81F
                                                  • FindWindowA.USER32(?,00000000), ref: 1002A869
                                                  • GetWindowTextA.USER32(00000000,?,00000104), ref: 1002A8CA
                                                  • GetWindow.USER32(00000000,00000002), ref: 1002A9AA
                                                  • GetClassNameA.USER32(00000000,?,00000104), ref: 1002A9BC
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 1002A9DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wsprintf$NameQueryWindow$CapsCloseDeviceMemoryOpenValue$ClassCommandComputerCountFindFreeGlobalInfoInformationLineReleaseSessionStatusSystemTextTickUser
                                                  • String ID: %d * %d$%d*%dMHz$%s%s%s$0$A$A$A$A$C$C$C$C$CTXOPConntion_Class$D$D$D$D$E$E$E$E$H$H$I$I$I$I$N$N$O$O$P$P$P$P$ProcessorNameString$R$R$R$R$R$R$S$S$S$S$T$T$W$W$a$a$c$c$e$e$e$e$e$e$l$l$m$m$n$n$o$o$o$r$r$r$r$r$s$s$s$s$secorPlartneC$t$t$t$t$y$y$~MHz
                                                  • API String ID: 2087514681-3067132264
                                                  • Opcode ID: 780a22977bd06b248c1c45941351646c35459e245d0c50f711bce5ec33360af0
                                                  • Instruction ID: d5f8c8a2b84b820b391d25637513ee599a362881b813912133c9c190d2737c83
                                                  • Opcode Fuzzy Hash: 780a22977bd06b248c1c45941351646c35459e245d0c50f711bce5ec33360af0
                                                  • Instruction Fuzzy Hash: 0222D13050C7C19EE325C638C844B9BBBD5ABD2304F484A5DF6D94B292DBBA9908C767
                                                  Function 10014060 Relevance: 149.4, APIs: 67, Strings: 18, Instructions: 633networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 1001410A
                                                  • InternetConnectA.WININET(00000000,00000000,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 1001413A
                                                  • InternetCloseHandle.WININET(00000000), ref: 1001414B
                                                  Strings
                                                  • nickname, xrefs: 1001464D
                                                  • xui.ptlogin2.qq.com, xrefs: 100140A2
                                                  • groups, xrefs: 100146D3
                                                  • pt_local_tk=, xrefs: 100142B5
                                                  • HTTP/1.1, xrefs: 10014170, 10014410
                                                  • 0.9475416028552021, xrefs: 100143E7
                                                  • /cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23, xrefs: 100140B4
                                                  • pt_local_token=, xrefs: 10014280
                                                  • GET, xrefs: 10014176, 10014416
                                                  • , xrefs: 10014100
                                                  • Set-Cookie: , xrefs: 1001430E, 1001435F
                                                  • Accept: */*Referer: https://localhost.ptlogin2.qq.com:4301%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 10014456
                                                  • localhost.ptlogin2.qq.com, xrefs: 100140E0
                                                  • /pt_get_uins?callback=ptui_getuins_CB&r=%s&%s, xrefs: 100143F3
                                                  • uin, xrefs: 10014658
                                                  • friends, xrefs: 100146B1
                                                  • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 10014082
                                                  • Accept: */*Referer: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23Accept-Language: zh-cnContent-Type: application/x-www-form-urlencoded, xrefs: 100140CB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseConnectHandleOpen
                                                  • String ID: $/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23$/pt_get_uins?callback=ptui_getuins_CB&r=%s&%s$0.9475416028552021$Accept: */*Referer: https://localhost.ptlogin2.qq.com:4301%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$Accept: */*Referer: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_url=http%3A%2F%2Fqun.qq.com%2Fmember.html%23Accept-Language: zh-cnContent-Type: application/x-www-form-urlencoded$GET$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$Set-Cookie: $friends$groups$localhost.ptlogin2.qq.com$nickname$pt_local_tk=$pt_local_token=$uin$xui.ptlogin2.qq.com
                                                  • API String ID: 1463438336-3428588184
                                                  • Opcode ID: d5fce840208fc55bd6649f1f1c9febec2897434e5a5b3cd0b33532438a929aca
                                                  • Instruction ID: 10a0a4d67c7a86b0295143d81d79a2071c775b89c22be300c5b0aaeb6ee9b044
                                                  • Opcode Fuzzy Hash: d5fce840208fc55bd6649f1f1c9febec2897434e5a5b3cd0b33532438a929aca
                                                  • Instruction Fuzzy Hash: C20249766047047BE310DA68DC45FEF73D9EBC4720F450A29FA05E7280EF79E90586A6
                                                  Function 1001E020 Relevance: 135.0, APIs: 11, Strings: 66, Instructions: 273sleepsynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,774C83C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • GetVersionExA.KERNEL32(?), ref: 1001E264
                                                    • Part of subcall function 1001AC50: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                    • Part of subcall function 1001AC50: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                    • Part of subcall function 1001AC50: FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001E292
                                                  • sprintf.MSVCRT ref: 1001E2AD
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1001E31B
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001E34D
                                                  • FindWindowA.USER32(#32770,GINA Logon), ref: 1001E377
                                                  • FindWindowA.USER32(#32770,1011F92C), ref: 1001E391
                                                  • Sleep.KERNEL32(0000012C), ref: 1001E3A1
                                                  • FindWindowA.USER32(#32770,GINA Logon), ref: 1001E3AD
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001E414
                                                  • ExitProcess.KERNEL32 ref: 1001E433
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FindHandleLibraryWindow$AddressCloseLoadModuleProc$ExitFileFreeNameObjectProcessSingleSleepVersionWaitsprintf
                                                  • String ID: #32770$%s -acsi$-rsvc$-wait$.$.$2$2$3$3$A$A$A$A$C$C$D$E$E$E$GINA Logon$H$I$K$L$P$S$S$V$a$a$a$c$c$d$d$d$i$i$l$l$l$l$l$l$n$n$r$r$r$r$r$r$s$s$t$t$t$t$t$t$u$v$v$v$x
                                                  • API String ID: 2386940797-994141675
                                                  • Opcode ID: 8e58b7cd7314048a3ca952b2694528a053f36a74f5ded9613e8870e3b733b8fc
                                                  • Instruction ID: 0b4892b23dda3fddd3321fbd9ae7e1bf2f5fae29934837064835f9396de239c3
                                                  • Opcode Fuzzy Hash: 8e58b7cd7314048a3ca952b2694528a053f36a74f5ded9613e8870e3b733b8fc
                                                  • Instruction Fuzzy Hash: EBC13D6040C7C49EE311C7788898B4FBFD5ABA6348F58495CF2D84B292D3BAD948C767
                                                  Function 10010190 Relevance: 126.4, APIs: 37, Strings: 35, Instructions: 380servicefilesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AttachConsole.KERNEL32(?), ref: 100101B3
                                                  • Sleep.KERNEL32(0000000A), ref: 100101BB
                                                  • AttachConsole.KERNEL32(?), ref: 100101C5
                                                  • GetConsoleProcessList.KERNEL32(?,00000001), ref: 100101D8
                                                  • #823.MFC42(00000000), ref: 100101E9
                                                  • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 100101F9
                                                  • GetCurrentProcessId.KERNEL32 ref: 10010203
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10010217
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 10010226
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001022D
                                                  • #825.MFC42(00000000), ref: 1001023E
                                                  • FreeConsole.KERNEL32 ref: 1001024C
                                                  • Sleep.KERNEL32(0000000A), ref: 10010254
                                                  • FreeConsole.KERNEL32 ref: 1001025A
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 10010266
                                                  • swprintf.MSVCRT(?,\Registry\Machine\System\CurrentControlSet\Services\%S,1011F500,NTDLL.DLL,ZwUnloadDriver,NTDLL.DLL,RtlInitUnicodeString,SeLoadDriverPrivilege,00000001), ref: 10010304
                                                  • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 1001039A
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 100103A6
                                                  • OpenServiceA.ADVAPI32(00000000,1011EC82,00010000), ref: 100103BD
                                                  • DeleteService.ADVAPI32(00000000), ref: 100103D0
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 100103D7
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 100103DA
                                                  • GetSystemDirectoryA.KERNEL32 ref: 1001049F
                                                  • lstrcatA.KERNEL32(?,?), ref: 100104B4
                                                  • DeleteFileA.KERNEL32(?), ref: 100104C4
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10010509
                                                  • lstrcatA.KERNEL32(?,?), ref: 10010518
                                                  • DeleteFileA.KERNEL32(?), ref: 10010522
                                                  • LocalFree.KERNEL32(?), ref: 1001052A
                                                  • free.MSVCRT ref: 1001053D
                                                  • free.MSVCRT ref: 10010546
                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 1001055D
                                                  • GetCurrentProcess.KERNEL32(00000000), ref: 10010568
                                                  • IsWow64Process.KERNEL32(00000000), ref: 1001056F
                                                  • DeleteFileA.KERNEL32(?), ref: 1001060E
                                                  • SetServiceStatus.ADVAPI32(?,1012BB80), ref: 1001062D
                                                  • ExitProcess.KERNEL32 ref: 1001063A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$Console$DeleteService$CloseDirectoryFileFreeHandleOpen$AttachCurrentListSleepSystemTerminatefreelstrcat$#823#825ExitLocalManagerStatusWindowsWow64swprintf
                                                  • String ID: .$.$.sys$Host$MarkTime$NTDLL.DLL$P$RtlInitUnicodeString$SYSTEM\CurrentControlSet\Services\$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\Select$SYSTEM\Setup$SeLoadDriverPrivilege$V$ZwUnloadDriver$\$\$\Registry\Machine\System\CurrentControlSet\Services\%S$\sysnative\drivers\$\system32\drivers\$a$b$d$d$d$e$g$g$m$n$o$o$s$t$u
                                                  • API String ID: 2905031204-766513331
                                                  • Opcode ID: 5e9a9763105458d25da2cd9a7c8d780cd10ccc7712ec86b47248b6b2ff05a6d0
                                                  • Instruction ID: 0df2d05d1c38004283eae67fd2f714d6463ff2b246ad674028d2030a0443b284
                                                  • Opcode Fuzzy Hash: 5e9a9763105458d25da2cd9a7c8d780cd10ccc7712ec86b47248b6b2ff05a6d0
                                                  • Instruction Fuzzy Hash: 52D12235604354ABD310DB78CC88B9B7BD5EB84314F180A1DF689AB2D1DBB4ED44C7A6
                                                  Function 10019930 Relevance: 79.1, APIs: 44, Strings: 1, Instructions: 387stringmemoryserviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • LocalAlloc.KERNEL32(00000040,00000104), ref: 10019960
                                                  • OpenSCManagerA.ADVAPI32 ref: 10019977
                                                  • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 100199A3
                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 100199AC
                                                  • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 100199CE
                                                  • OpenServiceA.ADVAPI32(00000000,?,00000001), ref: 100199F4
                                                  • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,?), ref: 10019A1A
                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 10019A27
                                                  • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 10019A3B
                                                  • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 10019A55
                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 10019A62
                                                  • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 10019A7A
                                                  • lstrcatA.KERNEL32(?,100FBD1C), ref: 10019ADB
                                                  • lstrcatA.KERNEL32(?,100FBD14), ref: 10019B06
                                                  • lstrlenA.KERNEL32(00000040), ref: 10019B1C
                                                  • lstrlenA.KERNEL32(?), ref: 10019B24
                                                  • lstrlenA.KERNEL32 ref: 10019B2F
                                                  • lstrlenA.KERNEL32(?), ref: 10019B3B
                                                  • lstrlenA.KERNEL32(?), ref: 10019B44
                                                  • lstrlenA.KERNEL32(?), ref: 10019B4C
                                                  • LocalSize.KERNEL32(?), ref: 10019B5E
                                                  • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 10019B70
                                                  • lstrlenA.KERNEL32(?), ref: 10019B7E
                                                  • lstrlenA.KERNEL32(?), ref: 10019B88
                                                  • lstrlenA.KERNEL32(?), ref: 10019BB1
                                                  • lstrlenA.KERNEL32(00000000), ref: 10019BC6
                                                  • lstrlenA.KERNEL32 ref: 10019BCF
                                                  • lstrlenA.KERNEL32(00000000), ref: 10019BFA
                                                  • lstrlenA.KERNEL32 ref: 10019C0B
                                                  • lstrlenA.KERNEL32(00000000), ref: 10019C14
                                                  • lstrlenA.KERNEL32(00000001), ref: 10019C3A
                                                  • lstrlenA.KERNEL32(?), ref: 10019C49
                                                  • lstrlenA.KERNEL32(?), ref: 10019C6B
                                                  • lstrlenA.KERNEL32(?), ref: 10019C81
                                                  • lstrlenA.KERNEL32(?), ref: 10019CA9
                                                  • lstrlenA.KERNEL32(?), ref: 10019CBB
                                                  • lstrlenA.KERNEL32(?), ref: 10019CC5
                                                  • lstrlenA.KERNEL32(?), ref: 10019CE9
                                                  • LocalFree.KERNEL32(?), ref: 10019CFE
                                                  • LocalFree.KERNEL32(00000000), ref: 10019D01
                                                  • CloseServiceHandle.ADVAPI32(?), ref: 10019D08
                                                  • LocalFree.KERNEL32(00000000), ref: 10019D3B
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10019D42
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10019D50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Local$Service$Alloc$Query$FreeOpen$CloseConfigConfig2EnumHandleProcessServicesStatuslstrcat$CurrentManagerSizeToken
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 19575313-2896544425
                                                  • Opcode ID: 2df178e330b11d1ae48753c649d3bb89eaa4c1e1807dcd0ba63a183abde4b81f
                                                  • Instruction ID: 602a72ac4dd89d5092f96c4d0856d720342e345610072c012a51b9f9dfb16572
                                                  • Opcode Fuzzy Hash: 2df178e330b11d1ae48753c649d3bb89eaa4c1e1807dcd0ba63a183abde4b81f
                                                  • Instruction Fuzzy Hash: 37D12C75204306AFD714DF64CC84AABB7E9FBC8700F54491DFA46A7250DB74E909CBA2
                                                  Function 10001140 Relevance: 68.4, APIs: 22, Strings: 17, Instructions: 161libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 1000115F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001168
                                                  • LoadLibraryA.KERNEL32 ref: 100011B4
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100011B7
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutClose), ref: 100011C7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100011CA
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInStop), ref: 100011DA
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100011DD
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInReset), ref: 100011ED
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100011F0
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInUnprepareHeader), ref: 10001200
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001203
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInClose), ref: 10001211
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001214
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutReset), ref: 10001224
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001227
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutUnprepareHeader), ref: 10001237
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000123A
                                                  • #825.MFC42(?), ref: 100012C4
                                                  • #825.MFC42(00000000,?), ref: 100012CC
                                                  • #825.MFC42(?,00000000,?), ref: 100012D5
                                                  • #825.MFC42(?,?,00000000,?), ref: 100012DE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$#825
                                                  • String ID: C$H$KERNEL32.dll$TerminateThread$WINMM.dll$a$d$n$o$s$waveInClose$waveInReset$waveInStop$waveInUnprepareHeader$waveOutClose$waveOutReset$waveOutUnprepareHeader
                                                  • API String ID: 345516743-2415744366
                                                  • Opcode ID: 18d932df849a8b69c2fd67332b36b8b357b890c471afae06fbbbe5af20abdcb9
                                                  • Instruction ID: 3b114dfad24d7eddf03eb2cbd10a89371148df8dda5889fc91158876db1259a3
                                                  • Opcode Fuzzy Hash: 18d932df849a8b69c2fd67332b36b8b357b890c471afae06fbbbe5af20abdcb9
                                                  • Instruction Fuzzy Hash: 605143B5904384ABDB10DF74CC88D5B7F98EFD9350F45094DFA8457206DA3AD845CBA1
                                                  Function 1001D150 Relevance: 63.2, APIs: 24, Strings: 12, Instructions: 176stringwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strstr$Window$IconicTextVisible
                                                  • String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
                                                  • API String ID: 4234658395-3439171801
                                                  • Opcode ID: b07a9358bbb95ddcce161cb76fe8d70c969f7287dfbfef8b9f07b457c4f792a8
                                                  • Instruction ID: c51c130f5ec414d40a0ba44ae9ee6f5576232b5ae9cd22d577f982d193c35258
                                                  • Opcode Fuzzy Hash: b07a9358bbb95ddcce161cb76fe8d70c969f7287dfbfef8b9f07b457c4f792a8
                                                  • Instruction Fuzzy Hash: 0B519379A0031676D604F6748DC4BCB36D8EF5458AF46483EF888CA040F739EB8986A3
                                                  Function 1001B250 Relevance: 54.5, APIs: 18, Strings: 13, Instructions: 271stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVersionExA.KERNEL32 ref: 1001B28C
                                                    • Part of subcall function 1001AC50: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                    • Part of subcall function 1001AC50: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                    • Part of subcall function 1001AC50: FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                    • Part of subcall function 1001A8F0: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,774D23A0), ref: 1001A98A
                                                    • Part of subcall function 1001A8F0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000,774D23A0), ref: 1001A9C4
                                                    • Part of subcall function 1001A8F0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,774D23A0), ref: 1001A9D4
                                                    • Part of subcall function 1001A8F0: ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,00000000,774D23A0), ref: 1001A9E4
                                                    • Part of subcall function 1001A8F0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,774D23A0), ref: 1001A9EB
                                                    • Part of subcall function 1001A8F0: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,774D23A0), ref: 1001A9F8
                                                    • Part of subcall function 1001A8F0: gethostname.WS2_32(?,?), ref: 1001AA00
                                                    • Part of subcall function 1001A8F0: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,774D23A0), ref: 1001AA07
                                                  • getsockname.WS2_32(?), ref: 1001B2F6
                                                  • GetSystemInfo.KERNEL32(?,?,?,00000100,?,00000010,00000004), ref: 1001B363
                                                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B384
                                                  • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B3CF
                                                  • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001B3EA
                                                  • GetTickCount.KERNEL32 ref: 1001B496
                                                  • wsprintfA.USER32 ref: 1001B4B8
                                                  • wsprintfA.USER32 ref: 1001B4DF
                                                  • wsprintfA.USER32 ref: 1001B504
                                                  • wsprintfA.USER32 ref: 1001B52B
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 1001B54C
                                                    • Part of subcall function 1001AA20: lstrlenA.KERNEL32(?,?,?,?,?,00000000,774C83C0,774D32C0,774D23A0), ref: 1001AAA6
                                                    • Part of subcall function 1001AA20: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,774C83C0,774D32C0,774D23A0), ref: 1001AAE3
                                                    • Part of subcall function 1001AA20: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,774C83C0,774D32C0,774D23A0), ref: 1001AAF3
                                                    • Part of subcall function 1001AA20: ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,774C83C0,774D32C0,774D23A0), ref: 1001AB03
                                                    • Part of subcall function 1001AA20: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,774C83C0,774D32C0,774D23A0), ref: 1001AB0A
                                                    • Part of subcall function 1001AA20: lstrlenA.KERNEL32(?,?,?,?,?,00000000,774C83C0,774D32C0,774D23A0), ref: 1001AB11
                                                  • lstrcpyA.KERNEL32(?,?,?,00000100), ref: 1001B5B9
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 1001B5C9
                                                  • GetLastInputInfo.USER32(?), ref: 1001B5E3
                                                  • GetTickCount.KERNEL32 ref: 1001B5E9
                                                  • _access.MSVCRT ref: 1001B608
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 1001B62B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$lstrlen$lstrcpywsprintf$CloseCountCreateFreeHandleInfoLibraryReadSizeTick$AddressDiskDriveGlobalInputLastLoadMemoryProcSpaceStatusSystemTypeVersion_accessgethostnamegetsockname
                                                  • String ID: %$@$C:\ProgramData\jerrt.txt$D$Default$a$d$e$f$f$l$t$u
                                                  • API String ID: 429165215-739913618
                                                  • Opcode ID: 70d5d81430b9339b4b87a89870655033b63c12cfa3a1a37335c5909e745d7bab
                                                  • Instruction ID: 49f0004716d92fd24872b5ca3d35146abbc92b725903a05a1ef224c46368f530
                                                  • Opcode Fuzzy Hash: 70d5d81430b9339b4b87a89870655033b63c12cfa3a1a37335c5909e745d7bab
                                                  • Instruction Fuzzy Hash: C7A19DB55083859FD724CB68CC84BDBBBE9EBC8304F444A1DF58987241EB75A648CB62
                                                  Function 1001D4A0 Relevance: 52.8, APIs: 24, Strings: 6, Instructions: 290sleepsynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000BB8,?,?,?,?,?,10098BF2,000000FF), ref: 1001D4C8
                                                  • sprintf.MSVCRT ref: 1001D4E7
                                                    • Part of subcall function 1001D480: GetFileAttributesA.KERNEL32(?,1001D9C8,?), ref: 1001D485
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1001D540
                                                  • GetFileAttributesA.KERNEL32(?), ref: 1001D595
                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 1001D5AB
                                                  • wsprintfA.USER32 ref: 1001D5D2
                                                  • CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,00000001), ref: 1001D5E7
                                                  • GetLastError.KERNEL32(?,?,?,?,00000001), ref: 1001D5F3
                                                  • ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001D601
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001D608
                                                    • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                    • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                    • Part of subcall function 1001D3B0: time.MSVCRT(00000000,1001DC1C), ref: 1001D3B2
                                                    • Part of subcall function 1001D3B0: srand.MSVCRT ref: 1001D3B9
                                                    • Part of subcall function 1001D390: EnumWindows.USER32(1001D150,?), ref: 1001D3A0
                                                  • Sleep.KERNEL32(000003E8), ref: 1001D64B
                                                  • Sleep.KERNEL32(000186A0), ref: 1001D665
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D67F
                                                  • GetTickCount.KERNEL32 ref: 1001D681
                                                  • GetTickCount.KERNEL32 ref: 1001D6AC
                                                  • GetTickCount.KERNEL32 ref: 1001D6F1
                                                  • GetTickCount.KERNEL32 ref: 1001D735
                                                  • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D758
                                                  • GetTickCount.KERNEL32 ref: 1001D77B
                                                  • Sleep.KERNEL32(00000096,?,00000001), ref: 1001D79A
                                                  • GetTickCount.KERNEL32 ref: 1001D7B7
                                                  • WaitForSingleObject.KERNEL32(?,00000064,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D7C5
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001D7DA
                                                  • #825.MFC42(?), ref: 1001D866
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$CountTick$Create$AttributesFileMutex$#825CloseD@2@@std@@D@std@@DirectoryEnumErrorEventGrow@?$basic_string@HandleLastObjectReleaseSingleStartupU?$char_traits@V?$allocator@WaitWindowssprintfsrandtimewsprintf
                                                  • String ID: %s:%d:%s$1.0.0$C:\ProgramData\%d.ini$C:\ProgramData\Microsoft Drive1$MyService1$e
                                                  • API String ID: 287845118-1910566113
                                                  • Opcode ID: f11f717b0bb64e47d535752adfd154bb21221df42febd4936ae265985878b28d
                                                  • Instruction ID: 22485af986d77e159b4f55e830ffcdca838e4d5ba84670817061d6910cd8e50c
                                                  • Opcode Fuzzy Hash: f11f717b0bb64e47d535752adfd154bb21221df42febd4936ae265985878b28d
                                                  • Instruction Fuzzy Hash: ECA1B0351083818FE320FF748C85B9EB7E4EB85744F44492DF9899B281EB75E949CB62
                                                  Function 1001DA70 Relevance: 51.0, APIs: 23, Strings: 6, Instructions: 284sleepsynchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001D890: GetModuleFileNameA.KERNEL32 ref: 1001D8AD
                                                    • Part of subcall function 1001D890: strrchr.MSVCRT ref: 1001D8C3
                                                    • Part of subcall function 1001D890: strrchr.MSVCRT ref: 1001D904
                                                    • Part of subcall function 1001D890: isdigit.MSVCRT ref: 1001D93C
                                                    • Part of subcall function 1001D890: memmove.MSVCRT(?,?), ref: 1001D95D
                                                  • CreateThread.KERNEL32(00000000,00000000,1001D4A0,00000000,00000000,00000000), ref: 1001DAA4
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,10098C22,000000FF), ref: 1001DAB4
                                                  • sprintf.MSVCRT ref: 1001DAD3
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1001DB2C
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1001DB4F
                                                    • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                    • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                    • Part of subcall function 1001D3B0: time.MSVCRT(00000000,1001DC1C), ref: 1001D3B2
                                                    • Part of subcall function 1001D3B0: srand.MSVCRT ref: 1001D3B9
                                                  • GetFileAttributesA.KERNEL32(?), ref: 1001DB83
                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 1001DB99
                                                  • wsprintfA.USER32 ref: 1001DBC0
                                                  • CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,00000001), ref: 1001DBD5
                                                  • GetLastError.KERNEL32(?,?,?,?,00000001), ref: 1001DBE1
                                                  • ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001DBEF
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000001), ref: 1001DBF6
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DC3A
                                                  • GetTickCount.KERNEL32 ref: 1001DC40
                                                  • GetTickCount.KERNEL32 ref: 1001DC67
                                                  • GetTickCount.KERNEL32 ref: 1001DCAC
                                                  • GetTickCount.KERNEL32 ref: 1001DCF0
                                                  • GetTickCount.KERNEL32 ref: 1001DD0E
                                                  • Sleep.KERNEL32(00000064,?,00000001), ref: 1001DD2A
                                                  • GetTickCount.KERNEL32 ref: 1001DD46
                                                  • WaitForSingleObject.KERNEL32(?,00000064,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DD54
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001DD69
                                                  • #825.MFC42(?), ref: 1001DE12
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CountTick$Create$Sleep$CloseD@2@@std@@D@std@@FileHandleMutexU?$char_traits@V?$allocator@strrchr$#825AttributesDirectoryEos@?$basic_string@ErrorEventGrow@?$basic_string@LastModuleNameObjectReleaseSingleStartupThreadWaitisdigitmemmovesprintfsrandtimewsprintf
                                                  • String ID: %s:%d:%s$1.0.0$C:\ProgramData\%d.ini$C:\ProgramData\Microsoft Drive$MyService$e
                                                  • API String ID: 4188121392-1841343700
                                                  • Opcode ID: b56300fe3b5f9186e28637c76ba7a62eb48c83d633883b35641bfb201d6253ea
                                                  • Instruction ID: 3dec9743cdb31eb7b3d2a406ac8a3200507690ed65feec82d8d096b96d7c3b57
                                                  • Opcode Fuzzy Hash: b56300fe3b5f9186e28637c76ba7a62eb48c83d633883b35641bfb201d6253ea
                                                  • Instruction Fuzzy Hash: 0FA1F6751083419BE320FF68CC85BABB7E4EF95744F04091DF9898B191DB75E988C752
                                                  Function 100029D0 Relevance: 42.3, APIs: 19, Strings: 5, Instructions: 259COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event
                                                  • String ID: /*/$C:\ProgramData\Microsoft Drive\De.ini$Loop stopped as 1.txt does not exist.$Received command to stop loop. De.ini deleted.$jieshuxunhuan
                                                  • API String ID: 4201588131-4242312597
                                                  • Opcode ID: cd35a89f4f8be346bd41b26d9235ab9bc9cdfa24ee5166abe599360f9c5a6fc0
                                                  • Instruction ID: 368dbf102333d3f33aab7b414df493a5988d33fb55c3cd96ca69a7f772dd8b24
                                                  • Opcode Fuzzy Hash: cd35a89f4f8be346bd41b26d9235ab9bc9cdfa24ee5166abe599360f9c5a6fc0
                                                  • Instruction Fuzzy Hash: 2771F7B5604209AFF340DF389C81D9F77DCEF95295F040629F98E93246EB21F94897A2
                                                  Function 1000BD50 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 207fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                  • ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                  • ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                  • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • _strcmpi.MSVCRT ref: 1000BE80
                                                  • _strcmpi.MSVCRT ref: 1000BE97
                                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 1000BEB3
                                                  • #825.MFC42(?), ref: 1000BF08
                                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 1000BF2D
                                                  • DeleteFileA.KERNEL32(?), ref: 1000BF42
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 1000BF7B
                                                  • FindClose.KERNEL32(00000000), ref: 1000BF8A
                                                  • RemoveDirectoryA.KERNEL32(?), ref: 1000BF98
                                                  • #825.MFC42(?), ref: 1000BFBA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$D@2@@0@FileFindHstd@@Tidy@?$basic_string@V10@V?$basic_string@$#825_strcmpi$?append@?$basic_string@CloseDeleteDirectoryEos@?$basic_string@FirstFreeze@?$basic_string@Grow@?$basic_string@NextRemoveV12@Xran@std@@
                                                  • String ID: *.*
                                                  • API String ID: 2724700886-438819550
                                                  • Opcode ID: ad1961a91edd804f932eaf2f8cfb1b55517e5a9efd2cd6c5a4194da2198bfaeb
                                                  • Instruction ID: 3864407029e8fe6deab90730e0e99c0bea179ee7459791ed1101209935cd539f
                                                  • Opcode Fuzzy Hash: ad1961a91edd804f932eaf2f8cfb1b55517e5a9efd2cd6c5a4194da2198bfaeb
                                                  • Instruction Fuzzy Hash: F371E2754087859FE710DF24CC94AEEBBE4FB84380F444A2DF985872A5DB31A909CF52
                                                  Function 10002340 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 194windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowLongA.USER32(?,000000EB), ref: 10002357
                                                  • PostQuitMessage.USER32(00000000), ref: 10002387
                                                  • SetWindowLongA.USER32(?,000000EB,?), ref: 100023A9
                                                  • GetModuleHandleA.KERNEL32(00000000,00000066), ref: 100023B3
                                                  • LoadIconA.USER32(00000000), ref: 100023BA
                                                  • SetClassLongA.USER32(?,000000F2,00000000), ref: 100023C4
                                                  • DestroyWindow.USER32(?), ref: 100023EA
                                                  Strings
                                                  • %s %d/%d/%d %d:%02d:%02d %s, xrefs: 10002513
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LongWindow$ClassDestroyHandleIconLoadMessageModulePostQuit
                                                  • String ID: %s %d/%d/%d %d:%02d:%02d %s
                                                  • API String ID: 3894596752-2160474225
                                                  • Opcode ID: 71ee426ec52ac96b800ba058b76f018c381004c1f2ad94f77a13b9f177fee775
                                                  • Instruction ID: d2af19665e460a136ed527ce0edd71708edc4414983fc6f4408890acd1a64255
                                                  • Opcode Fuzzy Hash: 71ee426ec52ac96b800ba058b76f018c381004c1f2ad94f77a13b9f177fee775
                                                  • Instruction Fuzzy Hash: B35123765046166FF321CB28CCC5FEB77ACFF48351F184735FA4AD21C2CA69A9098661
                                                  Function 1002AB10 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 205stringfilememoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcatA.KERNEL32(00000000,?), ref: 1002AB66
                                                  • lstrcatA.KERNEL32(00000000,\*.*), ref: 1002AB75
                                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 1002AB91
                                                  • strstr.MSVCRT ref: 1002AC63
                                                  • GetPrivateProfileStringA.KERNEL32(InternetShortcut,URL,1012B064,?,00000104,?), ref: 1002ACB3
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002ACBD
                                                  • lstrlenA.KERNEL32(?), ref: 1002ACC6
                                                  • LocalSize.KERNEL32(?), ref: 1002ACDC
                                                  • LocalReAlloc.KERNEL32(?,-00000400,00000042), ref: 1002ACF5
                                                  • lstrlenA.KERNEL32(?), ref: 1002AD05
                                                  • lstrlenA.KERNEL32(?), ref: 1002AD2F
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002AD49
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002AD79
                                                  • FindNextFileA.KERNEL32(?,?), ref: 1002AD95
                                                  • FindClose.KERNEL32(?), ref: 1002ADA4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Find$FileLocallstrcat$AllocCloseFirstNextPrivateProfileSizeStringstrstr
                                                  • String ID: .$.url$InternetShortcut$URL$\*.*
                                                  • API String ID: 3365753205-65308377
                                                  • Opcode ID: c805ce8fdd028995b2994b9c7cc12bbc5e72bd3a72d587b08b5b7cf1a85a1e78
                                                  • Instruction ID: 37af536dae5f82db561edc0b80e1dd82c14c3405cd253366dae35501ee616fd5
                                                  • Opcode Fuzzy Hash: c805ce8fdd028995b2994b9c7cc12bbc5e72bd3a72d587b08b5b7cf1a85a1e78
                                                  • Instruction Fuzzy Hash: 8E6114352047449FC729CB28CC94AEB73E6FBC4305F540A1DFA4A93290DF78A90AC741
                                                  Function 100092A0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 119filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,?,?,00000000,00000065), ref: 100092C6
                                                  • wsprintfA.USER32 ref: 1000931C
                                                  • FindFirstFileA.KERNEL32(?,?,100FA614,?,00000000,00000065), ref: 1000932E
                                                  • wsprintfA.USER32 ref: 10009390
                                                  • wsprintfA.USER32 ref: 100093BC
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 100093D6
                                                  • DeleteFileA.KERNEL32(?), ref: 100093E4
                                                  • FindNextFileA.KERNEL32(?,?), ref: 100093F4
                                                  • FindClose.KERNEL32(?), ref: 10009407
                                                  • RemoveDirectoryA.KERNEL32(?), ref: 1000940E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Findwsprintf$AttributesCloseDeleteDirectoryFirstNextRemovelstrlen
                                                  • String ID: %$%$%$%$%$.$.
                                                  • API String ID: 1639472542-2249276185
                                                  • Opcode ID: 2aea8407af68d81cd95f83c23c264e41da61d6d8c13cdc5b19b50d3487b0f872
                                                  • Instruction ID: f315fa8c29fec55d318e772443d46c7a284ddb7c65990d14359b7e7e16f1a137
                                                  • Opcode Fuzzy Hash: 2aea8407af68d81cd95f83c23c264e41da61d6d8c13cdc5b19b50d3487b0f872
                                                  • Instruction Fuzzy Hash: A2417F7100D3C19EE711CB64DC48AEBBBE8ABD6344F084A5DF5C893291D6759608C76B
                                                  Function 1001A420 Relevance: 26.6, APIs: 9, Strings: 6, Instructions: 331COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindWindowA.USER32(?,00000000), ref: 1001A481
                                                  • GetWindowTextA.USER32(00000000,774D32F0,00000104), ref: 1001A4DC
                                                  • GetWindow.USER32(00000000,00000002), ref: 1001A586
                                                  • GetClassNameA.USER32(00000000,774D32F0,00000104), ref: 1001A595
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001A5A4
                                                  • wsprintfA.USER32 ref: 1001A619
                                                  • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\Destop.ini,?,00000001), ref: 1001A6C7
                                                  • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\De.ini,?,00000001), ref: 1001A73B
                                                  • GetFileAttributesA.KERNEL32(C:\ProgramData\Microsoft Drive\id.ini,?,00000001), ref: 1001A774
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AttributesFileWindow$ClassCloseFindHandleNameTextwsprintf
                                                  • String ID: %s $C:\ProgramData\Microsoft Drive\De.ini$C:\ProgramData\Microsoft Drive\Destop.ini$C:\ProgramData\Microsoft Drive\id.ini$CTXOPConntion_Class$qq.exe
                                                  • API String ID: 2156150844-4244366814
                                                  • Opcode ID: c3d62f271ae4cf2f749e7f3db7bbdf53ba79ab53a3d0196b4ca422e2db9b4b53
                                                  • Instruction ID: c0ae37c25abf4f8968e68a42884e47e7a6172c3946883cabbb8bb6ed88b8f4aa
                                                  • Opcode Fuzzy Hash: c3d62f271ae4cf2f749e7f3db7bbdf53ba79ab53a3d0196b4ca422e2db9b4b53
                                                  • Instruction Fuzzy Hash: 3391F736614A081BC72CC57858556AB76C3EBC5370FA9073DFE6B9B2D1DEB8CD498240
                                                  Function 10008E50 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 162stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDriveStringsA.KERNEL32 ref: 10008E7D
                                                  • GetUserNameA.ADVAPI32(?,?), ref: 10008EA9
                                                  • _strcmpi.MSVCRT ref: 10008EBC
                                                  • SHGetFolderPathA.SHELL32(00000000,00000010,00000000,00000000,?), ref: 10008EE7
                                                  • CloseHandle.KERNEL32(00000000), ref: 10008EEE
                                                  • lstrlenA.KERNEL32(?), ref: 10008F02
                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 10008F3D
                                                  • SHGetFileInfoA.SHELL32(?,00000080,?,00000160,00000410), ref: 10008F5B
                                                  • lstrlenA.KERNEL32(?), ref: 10008F69
                                                  • lstrlenA.KERNEL32(?), ref: 10008F77
                                                  • GetDiskFreeSpaceExA.KERNEL32(00000001,?,?,00000000), ref: 10008F96
                                                  • GetDriveTypeA.KERNEL32(?), ref: 10008FDD
                                                  • lstrlenA.KERNEL32(?), ref: 10009047
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Drive$CloseDiskFileFolderFreeHandleInfoInformationLogicalNamePathSpaceStringsTypeUserVolume_strcmpi
                                                  • String ID: SYSTEM$g
                                                  • API String ID: 545482129-3120117691
                                                  • Opcode ID: df723ad6942873d95c7a4638fbedeeb3016da053a09685ffa93ad8dbc41845db
                                                  • Instruction ID: c8429926c63601f6ea7d8031317dae8df0805160766070a83ab6d3e18fb45688
                                                  • Opcode Fuzzy Hash: df723ad6942873d95c7a4638fbedeeb3016da053a09685ffa93ad8dbc41845db
                                                  • Instruction Fuzzy Hash: 6B5180715083499FD710DF24C880AEBBBE9FBC8344F444A2DFA8997251D770AA09CB66
                                                  Function 100254C0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 193stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 10025511
                                                  • wcstombs.MSVCRT ref: 10025552
                                                  • NetApiBufferFree.NETAPI32(000000FF,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 1002556E
                                                  • NetApiBufferFree.NETAPI32(000000FF,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 1002558A
                                                  • LocalAlloc.KERNEL32(00000040,00000400,00000000,00000000,00000002,?,000000FF,?,?,?,00000000,00000000), ref: 100255AB
                                                  • lstrlenA.KERNEL32(1012C830), ref: 1002561B
                                                  • lstrlenA.KERNEL32(1012C830), ref: 1002563C
                                                  • lstrlenA.KERNEL32(?), ref: 1002564F
                                                  • lstrlenA.KERNEL32(?), ref: 10025671
                                                  • lstrlenA.KERNEL32(?), ref: 10025684
                                                  • lstrlenA.KERNEL32(?), ref: 100256A2
                                                  • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 100256D6
                                                    • Part of subcall function 1001B690: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                    • Part of subcall function 1001B690: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                    • Part of subcall function 1001B690: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                    • Part of subcall function 1001B690: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$AllocBufferFreeLocalProcessToken$AdjustCloseCurrentEnumErrorHandleLastLookupOpenPrivilegePrivilegesUserValuewcstombs
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2919970077-2896544425
                                                  • Opcode ID: bb763baf8d9aa935cc46cb7b0a860543be85e81c58b72f9cf9bd1d888f9032e9
                                                  • Instruction ID: c2b75ca2e45f6cce6a4d32cfab16fce262d4b8a368a4b1402089436be4555ad1
                                                  • Opcode Fuzzy Hash: bb763baf8d9aa935cc46cb7b0a860543be85e81c58b72f9cf9bd1d888f9032e9
                                                  • Instruction Fuzzy Hash: 0151D2716047159BC304DF28DC819AFB7E5FBC8700F84491DFA86A7241DB36E90ACBA6
                                                  Function 1000B840 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 156keyboardsleepstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(0000000A), ref: 1000B8A6
                                                  • lstrlenA.KERNEL32(?), ref: 1000B8B1
                                                  • GetKeyState.USER32(00000010), ref: 1000B8FB
                                                  • GetAsyncKeyState.USER32(0000000D), ref: 1000B907
                                                  • GetKeyState.USER32(00000014), ref: 1000B914
                                                  • GetKeyState.USER32(00000014), ref: 1000B93C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: State$AsyncSleeplstrlen
                                                  • String ID: <BackSpace>$<Enter>
                                                  • API String ID: 43598291-3792472884
                                                  • Opcode ID: 600104d3a6fed73dbf7a32e2fc48a2a7b55119f13c72bea2c34559d00484d6f4
                                                  • Instruction ID: 254073e1c1d6b0a9fa3052202c61483a4731d11cdb8d0cac1f822bb488184c88
                                                  • Opcode Fuzzy Hash: 600104d3a6fed73dbf7a32e2fc48a2a7b55119f13c72bea2c34559d00484d6f4
                                                  • Instruction Fuzzy Hash: C3510471508B86ABF710DF64CC847AF73E9EB82384F010E2DEA5192194DB35D949C753
                                                  Function 1000E670 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82filesleepshutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32 ref: 1000E6D2
                                                  • DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,?,00000000), ref: 1000E705
                                                  • WriteFile.KERNEL32(00000000,00000000,00000200,00000000,00000000), ref: 1000E719
                                                  • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 1000E734
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000E737
                                                  • Sleep.KERNEL32(000007D0), ref: 1000E742
                                                  • GetVersion.KERNEL32 ref: 1000E748
                                                  • ExitWindowsEx.USER32(00000006,00000000), ref: 1000E768
                                                  • ExitProcess.KERNEL32 ref: 1000E770
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$ControlDeviceExitFile$CloseCreateCurrentHandleOpenSleepTokenVersionWindowsWrite
                                                  • String ID: SeShutdownPrivilege$U$\\.\PHYSICALDRIVE0
                                                  • API String ID: 554375110-3993181469
                                                  • Opcode ID: 0afe2ad8e16ea5edbc017d365728db05ca0ba4cd117a679420f1a44199d0639f
                                                  • Instruction ID: f74105865133530c9c42a2179fda12015e9b4dafff81d6fb0ebd67d8a36456bb
                                                  • Opcode Fuzzy Hash: 0afe2ad8e16ea5edbc017d365728db05ca0ba4cd117a679420f1a44199d0639f
                                                  • Instruction Fuzzy Hash: BE210735284751BBF230EB64DC4AFDB3B94BB84B10F240614FB697E1D0DAA465048B6A
                                                  Function 10009080 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175filememorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,?,?,00000065), ref: 100090AA
                                                  • wsprintfA.USER32 ref: 100090FA
                                                  • FindFirstFileA.KERNEL32(?,?,?,100FA614,?,00000065), ref: 10009110
                                                  • LocalAlloc.KERNEL32(00000040,00002800,00000000,?,00000065), ref: 10009146
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042,?,00000065), ref: 10009174
                                                  • lstrlenA.KERNEL32(?,?,00000065), ref: 10009203
                                                  • FindNextFileA.KERNEL32(?,?,?,00000065), ref: 10009256
                                                  • LocalFree.KERNEL32(00000000,?,00000065), ref: 10009272
                                                  • FindClose.KERNEL32(?,?,00000065), ref: 1000927D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FindLocal$AllocFilelstrlen$CloseFirstFreeNextwsprintf
                                                  • String ID: .$h
                                                  • API String ID: 4283800025-2131999284
                                                  • Opcode ID: 307e575320043b804115caed38cbac3ec8beb5b39f228cc1392b29c0c3c3f6ac
                                                  • Instruction ID: c7647cf31d52d82308ceeeae83e521db419cc323410b7d2ca49bf5210a9fd8ba
                                                  • Opcode Fuzzy Hash: 307e575320043b804115caed38cbac3ec8beb5b39f228cc1392b29c0c3c3f6ac
                                                  • Instruction Fuzzy Hash: EA51287560C3829BE710CF289C84ADBBBE5EF99384F144A58F8D897381D279990DC762
                                                  Function 10025AA0 Relevance: 18.1, APIs: 12, Instructions: 126stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000), ref: 10025AC9
                                                  • lstrlenA.KERNEL32(00000000), ref: 10025AD9
                                                  • lstrlenA.KERNEL32(00000000), ref: 10025AE2
                                                    • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10024614
                                                    • Part of subcall function 100245F0: #823.MFC42(00000002,?,00000000,00000000), ref: 10024621
                                                    • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1002463D
                                                  • NetUserAdd.NETAPI32 ref: 10025B38
                                                  • #825.MFC42(?), ref: 10025B46
                                                  • #825.MFC42(?,?), ref: 10025B50
                                                  • wcscpy.MSVCRT ref: 10025B94
                                                  • #825.MFC42(?), ref: 10025B9F
                                                  • #825.MFC42(?,?), ref: 10025BA9
                                                  • NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 10025BCC
                                                  • #825.MFC42(00000000,00000000,00000000,00000003,?,00000001,?,00000000,00000001,?,?), ref: 10025BD4
                                                  • LocalFree.KERNEL32(?,00000001,?,00000000,00000001,?,?), ref: 10025C05
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825$lstrlen$ByteCharLocalMultiWide$#823FreeGroupMembersUserwcscpy
                                                  • String ID:
                                                  • API String ID: 3899135135-0
                                                  • Opcode ID: 845040a6a147bf0244a5e108915e50923d3870f156928ecec06d720133b77a1b
                                                  • Instruction ID: dd9d3f93371bab7a31d82c422f9be74c5db956489815e8898b81c9b0b0312487
                                                  • Opcode Fuzzy Hash: 845040a6a147bf0244a5e108915e50923d3870f156928ecec06d720133b77a1b
                                                  • Instruction Fuzzy Hash: 7D41B4B56083046BD710DB74DC81EAFB7ECEFC4704F44092DF58497242EAB9E9498B62
                                                  Function 1000ED10 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1002C6A0: LoadLibraryA.KERNEL32 ref: 1002C6B7
                                                    • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1002C6C7
                                                    • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1002C6D1
                                                    • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1002C6DD
                                                    • Part of subcall function 1002C6A0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 1002C6E8
                                                    • Part of subcall function 1002C6A0: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 1002C6F4
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000ED2D
                                                  • Process32First.KERNEL32(00000000,00000128), ref: 1000ED4F
                                                  • _strcmpi.MSVCRT ref: 1000ED70
                                                  • OpenProcess.KERNEL32(00000001,00000000,?,00000002,00000000), ref: 1000ED81
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000ED8A
                                                  • Process32Next.KERNEL32(00000000,?), ref: 1000ED92
                                                  • CloseHandle.KERNEL32(00000000,00000000,?,00000002,00000000), ref: 1000ED9C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoadProcessProcess32$CloseCreateFirstHandleNextOpenSnapshotTerminateToolhelp32_strcmpi
                                                  • String ID: SeDebugPrivilege$explorer.exe
                                                  • API String ID: 3814622859-2721386251
                                                  • Opcode ID: 9745fbd0434098cbd2d8b7dbb2f7fa8ad6dc817a89ea0a6b86a541c905211a0a
                                                  • Instruction ID: 17e0e04e845da399990fac659a5be735f6de37b5642c8976c51b599fa26cdcf9
                                                  • Opcode Fuzzy Hash: 9745fbd0434098cbd2d8b7dbb2f7fa8ad6dc817a89ea0a6b86a541c905211a0a
                                                  • Instruction Fuzzy Hash: 9611D6B66003497BF310EBB0AC46FE7779CEB84381F440926FF05A2181EA65FD1846B2
                                                  Function 10023A10 Relevance: 15.1, APIs: 10, Instructions: 81networksleepthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WS2_32(00000202,?), ref: 10023A21
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 10023A35
                                                  • htons.WS2_32 ref: 10023A68
                                                  • bind.WS2_32 ref: 10023A83
                                                  • listen.WS2_32(00000000,00000032), ref: 10023A94
                                                  • accept.WS2_32(00000000,00000000,00000000), ref: 10023ABD
                                                  • malloc.MSVCRT ref: 10023AC3
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00023710,00000000,00000000,?), ref: 10023ADF
                                                  • Sleep.KERNEL32(000003E8), ref: 10023AEE
                                                  • CloseHandle.KERNEL32(00000000), ref: 10023AF7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateHandleSleepStartupThreadacceptbindhtonslistenmallocsocket
                                                  • String ID:
                                                  • API String ID: 1905318980-0
                                                  • Opcode ID: c5ab5da55ce875738ee350a318f10e2aae45705a3185965182b66f85494858ea
                                                  • Instruction ID: 56a3a21ef628f72f30326426070828200dff5f44208a3ceca9b41ec927aefec2
                                                  • Opcode Fuzzy Hash: c5ab5da55ce875738ee350a318f10e2aae45705a3185965182b66f85494858ea
                                                  • Instruction Fuzzy Hash: E121D6346483116BF310DF68EC8ABAB77E8FF84750F404628F698D62E0E7B199048627
                                                  Function 100026B0 Relevance: 15.1, APIs: 10, Instructions: 71clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 100026B3
                                                  • GetClipboardData.USER32(00000001), ref: 100026C7
                                                  • GlobalLock.KERNEL32(00000000), ref: 100026D8
                                                  • EmptyClipboard.USER32 ref: 100026F2
                                                  • GlobalAlloc.KERNEL32(00000002), ref: 1000270A
                                                  • GlobalLock.KERNEL32(00000000), ref: 10002717
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 1000273B
                                                  • SetClipboardData.USER32(00000001,00000000), ref: 10002744
                                                  • GlobalUnlock.KERNEL32(?), ref: 1000274F
                                                  • CloseClipboard.USER32 ref: 10002755
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyOpen
                                                  • String ID:
                                                  • API String ID: 3065066218-0
                                                  • Opcode ID: 2862ed5687d03e5c65a8664783a7ab9890a1c27da8607513131cd222ce1fbffd
                                                  • Instruction ID: eef061908f3c3295b15891c3fed615895cfe21d81dbfaa5e572b4fb253c06cc9
                                                  • Opcode Fuzzy Hash: 2862ed5687d03e5c65a8664783a7ab9890a1c27da8607513131cd222ce1fbffd
                                                  • Instruction Fuzzy Hash: 1F1194392406255FF3189B758C9DA6B7BD8FB846A2F19032DF61AC32E0DFA0DC008660
                                                  Function 10026980 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1002699D
                                                  • OpenServiceA.ADVAPI32(00000000,sharedaccess,000F01FF), ref: 100269B0
                                                  • QueryServiceStatus.ADVAPI32(00000000,?), ref: 100269BE
                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,10024718), ref: 100269D3
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,10024718), ref: 100269E0
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,10024718), ref: 100269E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseHandleProcess$ControlCurrentManagerQueryStatusToken
                                                  • String ID: SeDebugPrivilege$sharedaccess
                                                  • API String ID: 3393504433-1846105483
                                                  • Opcode ID: c0b8c31d6f714c04054424ec397ef7f471c8f5a066e32b871914a47eb0ba0577
                                                  • Instruction ID: 551e4f36512cc3a06d5cee9f48877d10e017bd087757fc34264ce2290fb8f1bd
                                                  • Opcode Fuzzy Hash: c0b8c31d6f714c04054424ec397ef7f471c8f5a066e32b871914a47eb0ba0577
                                                  • Instruction Fuzzy Hash: A6F0F639650124BBE210BB148C8AFFB3E68FF99791F44011AF608A9191EBB458448AB2
                                                  Function 10017BB0 Relevance: 12.0, APIs: 8, Instructions: 38clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 10017BB2
                                                  • EmptyClipboard.USER32 ref: 10017BBE
                                                  • GlobalAlloc.KERNEL32(00002000,?,?,?), ref: 10017BCE
                                                  • GlobalLock.KERNEL32(00000000), ref: 10017BDC
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 10017BF9
                                                  • SetClipboardData.USER32(00000001,00000000), ref: 10017C02
                                                  • GlobalFree.KERNEL32(00000000), ref: 10017C09
                                                  • CloseClipboard.USER32 ref: 10017C10
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
                                                  • String ID:
                                                  • API String ID: 453615576-0
                                                  • Opcode ID: b4994271ed0c5f6ad7c9827fe64acb0f777f19826ff97a28270b989e17eee570
                                                  • Instruction ID: db7201b96ab1820305f6fb52e99ee6ce304ff54deb9d779612551a26aa299f3d
                                                  • Opcode Fuzzy Hash: b4994271ed0c5f6ad7c9827fe64acb0f777f19826ff97a28270b989e17eee570
                                                  • Instruction Fuzzy Hash: 61F036752016219FE7146B604CCCBEF36A8FB48752B490519F90AD6251CB649940C7B1
                                                  Function 100025B0 Relevance: 10.6, APIs: 7, Instructions: 60clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 100025B8
                                                  • GetClipboardData.USER32(00000001), ref: 100025C6
                                                  • GlobalLock.KERNEL32(00000000), ref: 100025CF
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 10002609
                                                  • CloseClipboard.USER32 ref: 1000260F
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 10002632
                                                  • CloseClipboard.USER32 ref: 10002638
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$CloseUnlock$DataLockOpen
                                                  • String ID:
                                                  • API String ID: 2537359085-0
                                                  • Opcode ID: 80ece2687852f306fd33edd9e14cf1056a4f7933bde801836cb5a50ead5f4239
                                                  • Instruction ID: fa833299b88c5f4a584283747ecb7ea9d0db2f1ad11210ff9961461b47ce4595
                                                  • Opcode Fuzzy Hash: 80ece2687852f306fd33edd9e14cf1056a4f7933bde801836cb5a50ead5f4239
                                                  • Instruction Fuzzy Hash: 0001B5792106145BF3089B358C8DAAB3B98FBC0321F18072AF91B961E1EFE5ED048664
                                                  Function 1001B690 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                  • GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID:
                                                  • API String ID: 3398352648-0
                                                  • Opcode ID: 4016afdebf76fc38c603403ce2775b0087815ffa4e94011ab6c2084e23305a80
                                                  • Instruction ID: 9ea1a39ba13499be5e37f09f5477951cbb04746b7bbf0bdf0a23c0e989a9349b
                                                  • Opcode Fuzzy Hash: 4016afdebf76fc38c603403ce2775b0087815ffa4e94011ab6c2084e23305a80
                                                  • Instruction Fuzzy Hash: AA0144B9654300ABE304EF74CC89FAB77A4FB84700F88891CF64A86290D675D4448B61
                                                  Function 100290C0 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028), ref: 100290D0
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 100290D7
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10029105
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000010,00000000,00000000), ref: 1002911D
                                                  • GetLastError.KERNEL32 ref: 10029123
                                                  • CloseHandle.KERNEL32(?), ref: 10029134
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID:
                                                  • API String ID: 3398352648-0
                                                  • Opcode ID: 149c958cf4e409a043c1ff8710811fbd874f2c7f626f077d67b57da5f78a4f18
                                                  • Instruction ID: 4db5a6e2c7b4cb126f103a4b1f94b4cfd3d626149b56619aedb11a4ed5bc1c08
                                                  • Opcode Fuzzy Hash: 149c958cf4e409a043c1ff8710811fbd874f2c7f626f077d67b57da5f78a4f18
                                                  • Instruction Fuzzy Hash: F4018879654310AFE304EB78CC89F9B77A8FB84B00F448A1DF68D96290D775D8048761
                                                  Function 1001A100 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 1001A107
                                                  • CoCreateInstance.OLE32(100EACE0,00000000,00000001,100EACC0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001A11F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateInitializeInstance
                                                  • String ID: FriendlyName
                                                  • API String ID: 3519745914-3623505368
                                                  • Opcode ID: 66e595efa1f5612c210071dee90111c78dec33aabc564f56092dce953b27a62c
                                                  • Instruction ID: a483ef6e016667173818b6ae74308f15a9a9b41afdc33b466db5e1f0a45f223b
                                                  • Opcode Fuzzy Hash: 66e595efa1f5612c210071dee90111c78dec33aabc564f56092dce953b27a62c
                                                  • Instruction Fuzzy Hash: 97310674244202AFD604CF65CC88F5BB7E8FF89714F148958F549DB250DB74E88A8B62
                                                  Function 10009C40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(?,?,?,?,00000000), ref: 10009C85
                                                  • FindClose.KERNEL32(00000000), ref: 10009D07
                                                  • CloseHandle.KERNEL32(?), ref: 10009D19
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10009D31
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseFileFind$CreateFirstHandle
                                                  • String ID: p
                                                  • API String ID: 3283578348-2181537457
                                                  • Opcode ID: 5ca221129d8a3a18f25eb801b6ab58ffdf62e839a6ab82df66ebab739c56a846
                                                  • Instruction ID: 2b1597b52ddb8eafb0e91e12b29208ebd2643c3ea00a9cd01ad1c39fb074611e
                                                  • Opcode Fuzzy Hash: 5ca221129d8a3a18f25eb801b6ab58ffdf62e839a6ab82df66ebab739c56a846
                                                  • Instruction Fuzzy Hash: 7631BC719087019BF324DF28CC45B8FB6D6EBC53A0F25461EF1AA873D4D634D4458B41
                                                  Function 1007FAF0 Relevance: 8.6, Strings: 6, Instructions: 1084COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • *** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100804BE
                                                  • *** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100806E0
                                                  • *** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 100802CC
                                                  • IVOP, xrefs: 100802F0
                                                  • *** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i, xrefs: 10080402
                                                  • *** END, xrefs: 1008083B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: *** BFRAME (flush) bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** EMPTY bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** END$*** FINISH bf: head=%i tail=%i queue: head=%i tail=%i size=%i$*** IFRAME bf: head=%i tail=%i queue: head=%i tail=%i size=%i$IVOP
                                                  • API String ID: 0-2073594325
                                                  • Opcode ID: bd075c5b82562bcdd17865e7b3567cc286ae3052d9d3151d7098e9029afea3dc
                                                  • Instruction ID: 25a46a86ab63f6e0888d695531c25f8f022c1c995c94212cc85fea5cb882b4f1
                                                  • Opcode Fuzzy Hash: bd075c5b82562bcdd17865e7b3567cc286ae3052d9d3151d7098e9029afea3dc
                                                  • Instruction Fuzzy Hash: 96A226B5A042889FDB68CF18C881BEA77E5FF89344F10861DFD898B351D774AA41CB91
                                                  Function 10023650 Relevance: 6.1, APIs: 4, Instructions: 55networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: bindsocket
                                                  • String ID:
                                                  • API String ID: 3370621091-0
                                                  • Opcode ID: 85dc332e68de125305a9dd3892cc226241b1110390aa54452521c95da12b1cd6
                                                  • Instruction ID: 8e805546ef113c3ac3a2f35078ac83ca8a84d9fad177171d366f9001e7ac871c
                                                  • Opcode Fuzzy Hash: 85dc332e68de125305a9dd3892cc226241b1110390aa54452521c95da12b1cd6
                                                  • Instruction Fuzzy Hash: E8116DB4814311AFE300DF38D8856EABBE4FF89318F444A1DF49CC7290E3B58A458B96
                                                  Function 100270F0 Relevance: 6.0, APIs: 4, Instructions: 47processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 10027105
                                                  • Process32First.KERNEL32(00000000,?), ref: 10027112
                                                  • CloseHandle.KERNEL32(00000000,00000000,?), ref: 1002715B
                                                    • Part of subcall function 10026F40: CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000,00000000,?,00000074), ref: 10026F67
                                                    • Part of subcall function 10026F40: Module32First.KERNEL32(00000000,00000000), ref: 10026F7C
                                                    • Part of subcall function 10026F40: lstrcmpiA.KERNEL32(?,?), ref: 10026F9B
                                                    • Part of subcall function 10026F40: Module32Next.KERNEL32(00000000,00000000), ref: 10026FA7
                                                    • Part of subcall function 10026F40: lstrcmpiA.KERNEL32(?,?), ref: 10026FB9
                                                    • Part of subcall function 10026F40: CloseHandle.KERNEL32(00000000), ref: 10026FC4
                                                  • Process32Next.KERNEL32(00000000,?), ref: 10027150
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateFirstHandleModule32NextProcess32SnapshotToolhelp32lstrcmpi
                                                  • String ID:
                                                  • API String ID: 1584622316-0
                                                  • Opcode ID: 0e47aba4332e876abc14e7755c421cd63b0223f9de7432f19338bccb8822ca76
                                                  • Instruction ID: b3f5742757dc67417d80ccb19e15a7cf549f2a7c7405ea7f21a0163c39de1ff2
                                                  • Opcode Fuzzy Hash: 0e47aba4332e876abc14e7755c421cd63b0223f9de7432f19338bccb8822ca76
                                                  • Instruction Fuzzy Hash: 38F0A4B75002116AE750D764FC82EBB76ECEF84790F864529FD4886141EB29DD1482F2
                                                  Function 1002E040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: exitfprintf
                                                  • String ID: %s
                                                  • API String ID: 4243785698-620797490
                                                  • Opcode ID: 345a7cf5f18d2d7fa632badac4d6067782a62016b391a9140fa88cd01a136958
                                                  • Instruction ID: b51228288a7427c37f249211d207877ecb9812a7cef74ead0a6c9cec74af6a27
                                                  • Opcode Fuzzy Hash: 345a7cf5f18d2d7fa632badac4d6067782a62016b391a9140fa88cd01a136958
                                                  • Instruction Fuzzy Hash: 6AE06D3E800111AFE200EBA4EC45EAFB7B8FF89305F448865F54CA7216D735E90987A6
                                                  Function 100174C0 Relevance: 4.7, APIs: 3, Instructions: 166keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • BlockInput.USER32(00000000), ref: 1001750C
                                                  • BlockInput.USER32(?,?,?,00000000), ref: 10017528
                                                  • BlockInput.USER32(?), ref: 100175D3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BlockInput
                                                  • String ID:
                                                  • API String ID: 3456056419-0
                                                  • Opcode ID: 70d7b4fe06ccd1aeb7d671d919ba715909ed7347f82ce07ad212871d477d66c2
                                                  • Instruction ID: 7c35041cbc989ced744e84bc2fe7d25f999f3a5f95f372f905baf80f1d985716
                                                  • Opcode Fuzzy Hash: 70d7b4fe06ccd1aeb7d671d919ba715909ed7347f82ce07ad212871d477d66c2
                                                  • Instruction Fuzzy Hash: 8E51F737B485849BC714DF98A452BEEFB65FB85621F0082AFE95987741CB366410C7D0
                                                  Function 10009B60 Relevance: 4.6, APIs: 3, Instructions: 76fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 100089F0: lstrlenA.KERNEL32(?), ref: 10008A21
                                                    • Part of subcall function 100089F0: malloc.MSVCRT ref: 10008A29
                                                    • Part of subcall function 100089F0: lstrcpyA.KERNEL32(00000000,?), ref: 10008A41
                                                    • Part of subcall function 100089F0: CharNextA.USER32(00000002), ref: 10008A6D
                                                    • Part of subcall function 100089F0: CharNextA.USER32(00000002), ref: 10008A8B
                                                    • Part of subcall function 100089F0: GetFileAttributesA.KERNEL32(00000000), ref: 10008ACF
                                                    • Part of subcall function 100089F0: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10008ADC
                                                    • Part of subcall function 100089F0: GetLastError.KERNEL32 ref: 10008AE6
                                                    • Part of subcall function 100089F0: free.MSVCRT ref: 10008B44
                                                  • FindFirstFileA.KERNEL32(?,?,00000041,00000000,00000000,00000001,?,?,00000000,00000065), ref: 10009BDA
                                                  • FindClose.KERNEL32(00000000,0000006D,?,00000000,00000065), ref: 10009C06
                                                  • FindClose.KERNEL32(00000000,?,00000000,00000065), ref: 10009C21
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CharCloseFileNext$AttributesCreateDirectoryErrorFirstLastfreelstrcpylstrlenmalloc
                                                  • String ID:
                                                  • API String ID: 887710168-0
                                                  • Opcode ID: 6703766433a7eb1751993fb2cde4a4e3e360f15e5c6b0555f0ff15d622da5f13
                                                  • Instruction ID: 7edccb4fe516f4dcd3f53cbb636c582056df7d6c9d487251626477ac035d64a7
                                                  • Opcode Fuzzy Hash: 6703766433a7eb1751993fb2cde4a4e3e360f15e5c6b0555f0ff15d622da5f13
                                                  • Instruction Fuzzy Hash: FC11F3367001104BE714DB24DC91BFAB3D5EB89360F04063AFE1ACB2D6CA776D45C2A4
                                                  Function 100209D0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10020A10
                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 10020A25
                                                  • FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10020A30
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                  • String ID:
                                                  • API String ID: 3429775523-0
                                                  • Opcode ID: 9cd60866ab50a98c35c1f79ff38d4de2054aee1ceee2e1c8484874dd467a29a6
                                                  • Instruction ID: f6f7157a8b3012e72d1b12e548f4c87b378eb29056a0154ccc3d0e26a5706136
                                                  • Opcode Fuzzy Hash: 9cd60866ab50a98c35c1f79ff38d4de2054aee1ceee2e1c8484874dd467a29a6
                                                  • Instruction Fuzzy Hash: 9AF01D7515C380BFE340DB2889C4AABBBE8EBA4640FC45D4EF58943252D234D808CB27
                                                  Function 1000E540 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenEventLogA.ADVAPI32(00000000), ref: 1000E57C
                                                  • ClearEventLogA.ADVAPI32(00000000,00000000), ref: 1000E587
                                                  • CloseEventLog.ADVAPI32(00000000), ref: 1000E58A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$ClearCloseOpen
                                                  • String ID:
                                                  • API String ID: 1391105993-0
                                                  • Opcode ID: b719f0b8eb9c5516b5e29b39de37e38f590415d9596412b4ce2da0eade4c8ec0
                                                  • Instruction ID: e2617011e296939ca9cc499396a789e41a2db0335649869ff5bc3c2fc59dee1f
                                                  • Opcode Fuzzy Hash: b719f0b8eb9c5516b5e29b39de37e38f590415d9596412b4ce2da0eade4c8ec0
                                                  • Instruction Fuzzy Hash: B8F0C271504755DBD300DF09CC80B4BBBE8FB88340F800D09F954A7201E775AE088BA6
                                                  Function 10010640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13shutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • ExitWindowsEx.USER32(?,00000000), ref: 10010656
                                                    • Part of subcall function 1001B690: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                    • Part of subcall function 1001B690: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                    • Part of subcall function 1001B690: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                    • Part of subcall function 1001B690: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCloseCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesValueWindows
                                                  • String ID: SeShutdownPrivilege
                                                  • API String ID: 3672536310-3733053543
                                                  • Opcode ID: 5c3b0d6465ec82876b96f4a11b20ef9413b9959b1a27daeafe2d367ede1fa4d8
                                                  • Instruction ID: 8bb9d6b82e749448676f30d8a34e8541df49bcb33f5f773f867f71790e701dd0
                                                  • Opcode Fuzzy Hash: 5c3b0d6465ec82876b96f4a11b20ef9413b9959b1a27daeafe2d367ede1fa4d8
                                                  • Instruction Fuzzy Hash: E9C01279540B0C2BD450DB509C87F4A32549B24705F544810F7145D1C1EAB9B454497E
                                                  Function 100945E0 Relevance: 3.3, Strings: 2, Instructions: 786COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 2$?
                                                  • API String ID: 0-2669683831
                                                  • Opcode ID: 82d0a23524c8e639fe612ce29f0b0a327bed8ec205d1f2a73d9b6a9962b00d97
                                                  • Instruction ID: e3216f6868f9e4cf5f6781065e10e0d9461c84bc6dce7621e4154a7730d0a26f
                                                  • Opcode Fuzzy Hash: 82d0a23524c8e639fe612ce29f0b0a327bed8ec205d1f2a73d9b6a9962b00d97
                                                  • Instruction Fuzzy Hash: 1972D6B4604B429FD368CF29C890B9AF7E5FB88304F118A2DE59D87351EB30A955CF91
                                                  Function 1007E960 Relevance: 2.3, Strings: 1, Instructions: 1060COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: U,E
                                                  • API String ID: 0-4027942359
                                                  • Opcode ID: bb403865d610320d9d3144d3c8a59b381feae8db40863a7a375d4a88aa33cec3
                                                  • Instruction ID: 62788b8b9c83910406f6e107d4ec69dc7ae710b733b3debf393c051762315612
                                                  • Opcode Fuzzy Hash: bb403865d610320d9d3144d3c8a59b381feae8db40863a7a375d4a88aa33cec3
                                                  • Instruction Fuzzy Hash: 799279B5A002499FDB24CF28C881BEA77E5FF88344F50852EEA49CB351D734EA45CB95
                                                  Function 10083DB0 Relevance: 2.3, APIs: 1, Instructions: 1021COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: sprintf
                                                  • String ID:
                                                  • API String ID: 590974362-0
                                                  • Opcode ID: ff90f73474dabd82ae3067d476fcd8e7c0353b33501274f27f7b9a7cf42dc2d8
                                                  • Instruction ID: 5aa8e0581ca9c61f6fa59a3ea5278b0e339d6fb469f5b802416a7b005548d055
                                                  • Opcode Fuzzy Hash: ff90f73474dabd82ae3067d476fcd8e7c0353b33501274f27f7b9a7cf42dc2d8
                                                  • Instruction Fuzzy Hash: E872F779A00B045FD320DE16DC81BAB73D5EFC5310F11C42DEAAA87B92EAB4F9418795
                                                  Function 10096580 Relevance: 2.2, Strings: 1, Instructions: 914COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `
                                                  • API String ID: 0-2679148245
                                                  • Opcode ID: 67634c2c52ae4da3c090af6cdcece1f51e784655f4b8252d7771084186b7efcc
                                                  • Instruction ID: 5ba99edb4dc111c4c3f754275c391baa9eac253efeba611e3fe4600b19b7e26f
                                                  • Opcode Fuzzy Hash: 67634c2c52ae4da3c090af6cdcece1f51e784655f4b8252d7771084186b7efcc
                                                  • Instruction Fuzzy Hash: B37224B16087009FD358CF28CC85A6BB7E5FBC8304F54892DF99A87355EA74E901DB52
                                                  Function 10081AF0 Relevance: 2.2, Strings: 1, Instructions: 902COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: 05437cc4da248d0b5c8cb68c61ac51f3f1356b75297161c92043c969fa7b9174
                                                  • Instruction ID: 187d62c811851c58088b2f1c6dce946c8a0fd3b94e8cc69681fc47f369cecc54
                                                  • Opcode Fuzzy Hash: 05437cc4da248d0b5c8cb68c61ac51f3f1356b75297161c92043c969fa7b9174
                                                  • Instruction Fuzzy Hash: 5F824AB5A042459FC758CF18C880AAAFBE5FF88344F14866EE949CB356D770E981CF91
                                                  Function 10095A10 Relevance: 2.1, Strings: 1, Instructions: 899COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: p
                                                  • API String ID: 0-2181537457
                                                  • Opcode ID: 224c8d5f358a7b6ef40d174852e6fea1c18b7104658d6185486e6c31f62c3a69
                                                  • Instruction ID: fe8cd2cc24421d6a9a7cee5e5788c892982403802447b05bf67885c1992b357f
                                                  • Opcode Fuzzy Hash: 224c8d5f358a7b6ef40d174852e6fea1c18b7104658d6185486e6c31f62c3a69
                                                  • Instruction Fuzzy Hash: 397223B16087019FD358CF28CC85A6BB7E5EBC8304F04892EF99A87351EB35E905DB52
                                                  Function 10091B30 Relevance: 2.0, Strings: 1, Instructions: 782COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: P
                                                  • API String ID: 0-3110715001
                                                  • Opcode ID: 1744a71cc153f435a488135215ca316859ffb33d37d10a6ad281924961b10e09
                                                  • Instruction ID: d184077492bed8aef1c2b56622c036f2df93d33661324d6ff674df0f5cadea1b
                                                  • Opcode Fuzzy Hash: 1744a71cc153f435a488135215ca316859ffb33d37d10a6ad281924961b10e09
                                                  • Instruction Fuzzy Hash: 655238B56047019FD358CF28C885AABB7EAFBC8340F15892DF98A87351EB74E805CB51
                                                  Function 10080910 Relevance: 2.0, APIs: 1, Instructions: 486COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _ftol
                                                  • String ID:
                                                  • API String ID: 2545261903-0
                                                  • Opcode ID: 7a9bd9669acc6f9723b73846090dd6e66c1ecf8a2b571f2b7f2950442504dfaf
                                                  • Instruction ID: ce3ace6327e3203f5d2051b33f1549e90bcca54b4fbe323c781dd39a00036240
                                                  • Opcode Fuzzy Hash: 7a9bd9669acc6f9723b73846090dd6e66c1ecf8a2b571f2b7f2950442504dfaf
                                                  • Instruction Fuzzy Hash: 6A221974A043868FDB68CF18C490B9AB7E2FFC8304F11896EE9898B355D730E951CB91
                                                  Function 10097190 Relevance: 1.8, Strings: 1, Instructions: 580COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: p
                                                  • API String ID: 0-2181537457
                                                  • Opcode ID: c0112df73418a4f496818cd07d16fa3fdfad0c2254d9b3da0803b42da5236a41
                                                  • Instruction ID: f7052ab2a3d0824c41790045bc7bbe12662eb6fe58e132b7cacf9ba9d32faa16
                                                  • Opcode Fuzzy Hash: c0112df73418a4f496818cd07d16fa3fdfad0c2254d9b3da0803b42da5236a41
                                                  • Instruction Fuzzy Hash: D02224726047009FD358CF68C885AABB7E9FB88304F45891DF99EC7351EB74A905CB62
                                                  Function 10081090 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: b7c368c19ef43085cbd88bfad823d9457c7e6e5029ebf07f9028f357f5e6a29f
                                                  • Instruction ID: 1973868626951cbc4e1e6dbbbaae98c5aea718cf2aa9e198ecfd8e57a8fac991
                                                  • Opcode Fuzzy Hash: b7c368c19ef43085cbd88bfad823d9457c7e6e5029ebf07f9028f357f5e6a29f
                                                  • Instruction Fuzzy Hash: 4722F1B5A142059FCB48CF18C490A9ABBE5FF88310F558A6EFC49CB346D770E941CB91
                                                  Function 10058060 Relevance: .8, Instructions: 850COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 454b192ecfaca2bfeccc7b5d9f1b28ddef83bf891173fbfbdba393ab323421c2
                                                  • Instruction ID: f9911c3756e58d96d67ac0068ac05fe94daea12ae19a9087e13a65d9dc3f6b02
                                                  • Opcode Fuzzy Hash: 454b192ecfaca2bfeccc7b5d9f1b28ddef83bf891173fbfbdba393ab323421c2
                                                  • Instruction Fuzzy Hash: 9F626D74600B428FD734CF29D980A26B7E1FF85650B158A2DE887D7B51D730F94ACBA1
                                                  Function 10037E10 Relevance: .7, Instructions: 684COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97e2224dc0ef2b1fc53d62958fd45e5f26a65b99f05693ffc431e4c50dd9cacc
                                                  • Instruction ID: 752e0dd24e133d73b6f08329f2179d760a74bb4bde05081f5036a7f9d25ca0bd
                                                  • Opcode Fuzzy Hash: 97e2224dc0ef2b1fc53d62958fd45e5f26a65b99f05693ffc431e4c50dd9cacc
                                                  • Instruction Fuzzy Hash: AE423A74504B468FC326CF18D480A6BB7F5FF89345F14496DE9868B712D731EA0ACB92
                                                  Function 100041D0 Relevance: .6, Instructions: 551COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ea6ab9f78f90f424b4e1c8bf84860adce0fffc767b65f905f94987ab85e84ed9
                                                  • Instruction ID: 666f91e0f4e9b9f2dd51f1c7e6263b133853ce75cc250038ad35c0a21c5c6ed6
                                                  • Opcode Fuzzy Hash: ea6ab9f78f90f424b4e1c8bf84860adce0fffc767b65f905f94987ab85e84ed9
                                                  • Instruction Fuzzy Hash: 6B02F0B56087458BE704CF28D88071BB7E6EFC5294F46852CF88A87345EB35EE05C7A6
                                                  Function 10082D70 Relevance: .5, Instructions: 533COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4797e064f56f14eac9a7beb65e631e3381fa09ee9f13918a05c30c79d5ca12ac
                                                  • Instruction ID: 41471438a16cbbac6786139d1061e5c3017a9635662bae8005eac138925a0d7c
                                                  • Opcode Fuzzy Hash: 4797e064f56f14eac9a7beb65e631e3381fa09ee9f13918a05c30c79d5ca12ac
                                                  • Instruction Fuzzy Hash: CD3203B56042459FCB68CF28C880B9AB7E5FF88304F15866EED499B345D730EA41CF95
                                                  Function 100935E0 Relevance: .5, Instructions: 517COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 28f74a478b9e56c454a2729459905cb1d28662fe90d563d355c94c2c2b461897
                                                  • Instruction ID: 4d71161d89cbbead2164ec4957e4dfeca612bfca0d3e2a666b1d05633a211095
                                                  • Opcode Fuzzy Hash: 28f74a478b9e56c454a2729459905cb1d28662fe90d563d355c94c2c2b461897
                                                  • Instruction Fuzzy Hash: B91219B56087419FD364CF58C880AABB7EAFBC8304F15892DF59A87354EB70E905CB52
                                                  Function 1003E318 Relevance: .5, Instructions: 463COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 20b7cfe01caa3f4186f54ee0bd46686b24229b0d6bfff7e3f713d6b1973d67e9
                                                  • Instruction ID: 1a2f8e5215c28f0ed089b4e417405f415f18f762e39f11f2e1df00e997976450
                                                  • Opcode Fuzzy Hash: 20b7cfe01caa3f4186f54ee0bd46686b24229b0d6bfff7e3f713d6b1973d67e9
                                                  • Instruction Fuzzy Hash: 8B12E6A5E35FA741E783AAB854424A5F3607FEB140B06AB17FC9070C42FB3AD38E4254
                                                  Function 100373F0 Relevance: .5, Instructions: 457COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 373561648ed17f623230584d40b545c58971e2c0c6a1969ba25a6d51b433a622
                                                  • Instruction ID: 6bf080dd21d2c418260dd11eed1b3b6311730e3ee8d8d0daa20e21ca440b09df
                                                  • Opcode Fuzzy Hash: 373561648ed17f623230584d40b545c58971e2c0c6a1969ba25a6d51b433a622
                                                  • Instruction Fuzzy Hash: 800257B4604B458FC326CF18C490A6BB7E5FF89305F154A6DE98A8B712D731F90ACB91
                                                  Function 1003BB90 Relevance: .4, Instructions: 446COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e2fb3a0990cb8f2fdad2bfe0b8d49da4d09b219bcd50ed853708e3854edc2e9
                                                  • Instruction ID: 029373d71355fbd2ad70396b17303df9a12dee90329dec291bf355f95b858a0e
                                                  • Opcode Fuzzy Hash: 6e2fb3a0990cb8f2fdad2bfe0b8d49da4d09b219bcd50ed853708e3854edc2e9
                                                  • Instruction Fuzzy Hash: D9122874A093418FC315CF09D48094AB7E2FFCC359F598A6DE9885B326DB30B916CB96
                                                  Function 1003C412 Relevance: .4, Instructions: 435COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40d6cc66e0b936cdead37ef532d89ee06d34439e23798db7d65ba9872918fda5
                                                  • Instruction ID: ace8e06d0a3442dc2e4d5d93a36c7dda4def718a55803d6bed4ad8f29c8fc085
                                                  • Opcode Fuzzy Hash: 40d6cc66e0b936cdead37ef532d89ee06d34439e23798db7d65ba9872918fda5
                                                  • Instruction Fuzzy Hash: BB026C756087428FC709CF1AC490A5AFBE2FFC8319F19896DD9899B316DB31E906CB41
                                                  Function 10084DD0 Relevance: .4, Instructions: 422COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5a3b1edd6918a6fbb49c5e17d253c2efa91f0bc55c0e6aeb1232c13692f9d9d0
                                                  • Instruction ID: 64735ea465274e5fb1f8591c2231c0b85bce749390d1d6339555928da74c1d0a
                                                  • Opcode Fuzzy Hash: 5a3b1edd6918a6fbb49c5e17d253c2efa91f0bc55c0e6aeb1232c13692f9d9d0
                                                  • Instruction Fuzzy Hash: BFD11639B00B055FD724DE2ACC81BABB3D6EFC4310F00852DEA9B87B92D6B4F9418651
                                                  Function 1007ADD0 Relevance: .4, Instructions: 385COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97aafaa7d09f2a587d9b47b0a7b3b92ca9fa010e9f6a99fe67426401d4192c2e
                                                  • Instruction ID: 62b796718e84f24db96b20aa623b88a4f735824615e6ff2014f862d8e28d506b
                                                  • Opcode Fuzzy Hash: 97aafaa7d09f2a587d9b47b0a7b3b92ca9fa010e9f6a99fe67426401d4192c2e
                                                  • Instruction Fuzzy Hash: 0EE1F3B2A083954FD318CF28C89065ABBE1FBC4380F16867DE8D6DB351D678D949CB85
                                                  Function 1005AEA0 Relevance: .4, Instructions: 379COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                                                  • Instruction ID: d9b1ff911830af0539c7349bf08e3b2d9740b495c4966d40e324d81a2e3ecd1b
                                                  • Opcode Fuzzy Hash: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
                                                  • Instruction Fuzzy Hash: 52F1BEB65096418FC309CF18D4989E2BBE5EF98310B1F42FDC4499B362D332E985CB91
                                                  Function 100308D0 Relevance: .4, Instructions: 361COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2687faa37309abc548b5ff328fe7a62011fc3d30ac3d746e604706c2c85b3cbe
                                                  • Instruction ID: 7bb6ed843fccb1d171a269f829f0da8c3387a7479521bb1172319b2c54a59b23
                                                  • Opcode Fuzzy Hash: 2687faa37309abc548b5ff328fe7a62011fc3d30ac3d746e604706c2c85b3cbe
                                                  • Instruction Fuzzy Hash: 60D155B5A057468FC314CF09C890A5AF7E1FFC8354F158A2EE8999B311D730E946CB92
                                                  Function 1003E490 Relevance: .3, Instructions: 309COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 80c568206ee772c262ef29b3cb3411df1fba831bc70dbbdd959477f18782bbad
                                                  • Instruction ID: 191fb6512ce3fe81ac62e8b205ff347e08eb9b5354047abb2973186291256276
                                                  • Opcode Fuzzy Hash: 80c568206ee772c262ef29b3cb3411df1fba831bc70dbbdd959477f18782bbad
                                                  • Instruction Fuzzy Hash: 52D1AE64926B0296D716CF38D082436B3A2FFF27147A4C75ED886B715AFB30E895C381
                                                  Function 1007E580 Relevance: .3, Instructions: 309COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dc49b93a90eb42755b28ff9a1f4e157d09a1c2fb66e4d2f97c50c74f42bac02d
                                                  • Instruction ID: c9d9968e773ab0179434f71f20166d56fb7836a4f0aba6d95100071a75a33e44
                                                  • Opcode Fuzzy Hash: dc49b93a90eb42755b28ff9a1f4e157d09a1c2fb66e4d2f97c50c74f42bac02d
                                                  • Instruction Fuzzy Hash: 39C136716087468FD31CCF19C89156AFBE2FFC8704F048A2DE59A87354EB34A914CB89
                                                  Function 1005B420 Relevance: .3, Instructions: 297COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 44531fdb7ad762606b8c0ed8b22239f60f764cef16d5b4e10ce9907491eaaf73
                                                  • Instruction ID: 1cefddefc1273a83d4783cd2495db2e7edfb8caec8dc97b4bcf5608fb9fa9477
                                                  • Opcode Fuzzy Hash: 44531fdb7ad762606b8c0ed8b22239f60f764cef16d5b4e10ce9907491eaaf73
                                                  • Instruction Fuzzy Hash: 8DD18A756092518FC319CF28E8D88E67BE5FF98710B1E42F8C9898B323D731A985CB55
                                                  Function 1003B210 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e36b668c6f7f275d4e3c1909ff9ce4881944ec2a47434caefc73e7e0d96a4ec0
                                                  • Instruction ID: 721eaa63ce6458851d8aa1b9dc4c03e48d6a588ee79b546b769e2eb3cd3e4e7c
                                                  • Opcode Fuzzy Hash: e36b668c6f7f275d4e3c1909ff9ce4881944ec2a47434caefc73e7e0d96a4ec0
                                                  • Instruction Fuzzy Hash: 56C13E3560D3828FC308CF69C49055AFBE2BFCA208F49D97DE9D98B312D671A919CB45
                                                  Function 10035697 Relevance: .3, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 380346d83fdc543ebc22177e3de29bc30f0f136880a3c99924b68710931819b8
                                                  • Instruction ID: ac40b97b19cf350deb4381199cebd45df556241ac8ef125ecfdd14d8ce777ac4
                                                  • Opcode Fuzzy Hash: 380346d83fdc543ebc22177e3de29bc30f0f136880a3c99924b68710931819b8
                                                  • Instruction Fuzzy Hash: 3CA1B334A087968FC709CF29848031ABBE2FFD9616F24C66DD8A58F299E771C905C781
                                                  Function 1003E470 Relevance: .3, Instructions: 269COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5ba32ef62104ad4fa989df10cd095480fe71a6d544f4596f173a80f44f9302ff
                                                  • Instruction ID: 5f98526eac24df5b1521ed8c3c60a8dea648e96a9abcffbfabeff445296a397c
                                                  • Opcode Fuzzy Hash: 5ba32ef62104ad4fa989df10cd095480fe71a6d544f4596f173a80f44f9302ff
                                                  • Instruction Fuzzy Hash: 4EC18BA4A2AF0596D7168F38D482536B3A1FFF17147A4C74AD8C6B715EFB20E4A1D280
                                                  Function 10059900 Relevance: .3, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 87cd360eeabfb3d2a53af9d4dc92188b2830e60fc760d83bb67fb1035d8072f3
                                                  • Instruction ID: 8d182b711f86b2590d44b9e897d1d1c98bcbef0953a52f6730e8bedf5447d214
                                                  • Opcode Fuzzy Hash: 87cd360eeabfb3d2a53af9d4dc92188b2830e60fc760d83bb67fb1035d8072f3
                                                  • Instruction Fuzzy Hash: F6916D32604B428FD729CF29C8914ABB7E2EF86344B69892DD5D787B11E731B849CB41
                                                  Function 10059DB0 Relevance: .3, Instructions: 256COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                                                  • Instruction ID: e70820d266a8dfc3c891c9c4e497ac63b67ceedcd589d3e7af91b45e671c8c89
                                                  • Opcode Fuzzy Hash: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
                                                  • Instruction Fuzzy Hash: FB718533755A8207E71CCE3E8C612BAABD38FC621432ED87E94DAC7756EC79D41A5204
                                                  Function 100932B0 Relevance: .3, Instructions: 255COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 27c135387e15843d5111bdeacdeb80c544cc66fa5b1e7e016b7e8428dd49fc97
                                                  • Instruction ID: 37a9a9593b3dc3555cfa8e56289a9d5074fe474d1c8ec2e397b83cc327960a0e
                                                  • Opcode Fuzzy Hash: 27c135387e15843d5111bdeacdeb80c544cc66fa5b1e7e016b7e8428dd49fc97
                                                  • Instruction Fuzzy Hash: 61914A756047059FD758CF28C881BABB7EAEBC8300F55992DF99AC7340EA30F9058B51
                                                  Function 1007E2D0 Relevance: .2, Instructions: 243COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f5bed60060751f39adf9628b607899d39014c7b2f99b3987925e1250c265d70b
                                                  • Instruction ID: 9f11bce80a0ec17ae65470847eba7d25ade11d084938c03b16f53130ee7c7e33
                                                  • Opcode Fuzzy Hash: f5bed60060751f39adf9628b607899d39014c7b2f99b3987925e1250c265d70b
                                                  • Instruction Fuzzy Hash: 7B914A716093818FC318CF6DC89056AFBE2FFCE304F19863EE589C7365DA7599068A46
                                                  Function 1005BAB0 Relevance: .2, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 361d593a6597ca170d4028ccc48b8ee29c1db73e1bb6d68cc95f9e1a891fcec8
                                                  • Instruction ID: 394e96dab5a0ad22cad07a8418f847d0fe22322e10ef68398779eb1422000efd
                                                  • Opcode Fuzzy Hash: 361d593a6597ca170d4028ccc48b8ee29c1db73e1bb6d68cc95f9e1a891fcec8
                                                  • Instruction Fuzzy Hash: 4E81BF327195A64BE708CF29DCE053BB7A3EB8D340F19883DC686D7356C931A91AC760
                                                  Function 100A8230 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 763eac6b6b42709351b1268c3bfac75d101506b380c3a22d1c78b889bc5400ed
                                                  • Instruction ID: 4e5fd15620c05232e311bf08b0a4888acbdfcfc8b05760d64ecdd7d941a19f93
                                                  • Opcode Fuzzy Hash: 763eac6b6b42709351b1268c3bfac75d101506b380c3a22d1c78b889bc5400ed
                                                  • Instruction Fuzzy Hash: 67219373BF4E1B0EE344A9FCDC4A7A135C1D3A4715F198E38A119C72C0F5ACCA885250
                                                  Function 10025E80 Relevance: 315.5, APIs: 3, Strings: 207, Instructions: 466sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • atoi.MSVCRT(?), ref: 10025E9A
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                    • Part of subcall function 10014CA0: RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,ExA,0000004D), ref: 10014DD4
                                                    • Part of subcall function 10014CA0: RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,?), ref: 10014DFE
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • atoi.MSVCRT(?,80000002,?,?,00000004,?,00000000,00000000,00000000), ref: 10026908
                                                    • Part of subcall function 10014CA0: RegDeleteKeyA.ADVAPI32(?,?), ref: 10014E2A
                                                  • Sleep.KERNEL32(000005DC), ref: 10026933
                                                    • Part of subcall function 10014CA0: RegDeleteValueA.ADVAPI32(?,?), ref: 10014E56
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProcValue$#823Deleteatoi$Sleep
                                                  • String ID: $ $ $ $ $ $-$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$D$D$D$E$E$E$E$E$E$M$M$M$M$M$M$N$P$P$P$R$R$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$W$W$Y$Y$Y$Y$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$a$a$a$a$a$a$a$b$c$c$c$c$d$d$d$d$f$i$i$i$i$i$i$i$i$i$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$s$s$s$s$u$u$u$u$u$v$v$v$v$v$v$w$y
                                                  • API String ID: 3245547908-431623420
                                                  • Opcode ID: 6ddffa8ede800b22b0c7d31f1a98932fe5aee7fc99250002329de52fbb2c0142
                                                  • Instruction ID: 46da3d8f85b41806bff36dc6f8e690e7e2fa6d6d5cef91b77a25e2a54a4f965e
                                                  • Opcode Fuzzy Hash: 6ddffa8ede800b22b0c7d31f1a98932fe5aee7fc99250002329de52fbb2c0142
                                                  • Instruction Fuzzy Hash: 70524C2154D7C0DDE332C6689859BDBBED21BB3709F48489D92DC1B283C2BA4658C77B
                                                  Function 1001B720 Relevance: 301.4, APIs: 11, Strings: 161, Instructions: 425librarysleeploaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,774C83C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • LoadLibraryA.KERNEL32 ref: 1001BA99
                                                  • GetProcAddress.KERNEL32 ref: 1001BB65
                                                  • GetProcAddress.KERNEL32 ref: 1001BDDC
                                                  • GetCurrentProcess.KERNEL32 ref: 1001BE73
                                                  • Sleep.KERNEL32(00000014), ref: 1001BEC5
                                                  • Sleep.KERNEL32(000003E8), ref: 1001BF4C
                                                  • CloseHandle.KERNEL32(?), ref: 1001BF9F
                                                  • CloseHandle.KERNEL32(?), ref: 1001BFBC
                                                  • CloseHandle.KERNEL32(?), ref: 1001BFC7
                                                  • CloseHandle.KERNEL32(?), ref: 1001BFD5
                                                  • FreeLibrary.KERNEL32(00000000), ref: 1001BFDC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Handle$Close$AddressLibraryProc$LoadSleep$CurrentFreeModuleProcess
                                                  • String ID: .$.$.$2$2$2$3$3$3$A$A$A$A$A$A$B$B$C$C$D$D$D$D$E$E$E$E$E$E$G$I$I$I$K$L$N$N$O$P$P$P$P$Q$R$R$S$S$S$S$S$T$T$T$T$T$T$U$U$U$V$V$W$W$W$a$a$c$c$c$c$c$c$d$d$d$d$i$i$i$i$i$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$m$m$n$n$n$n$n$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$v$v$v$y$y$Mw
                                                  • API String ID: 2138834447-3670321408
                                                  • Opcode ID: 986803221d92b284a1ced20c5c8d8ce2802ba8e88640f4ae639c33b509c4433e
                                                  • Instruction ID: b92ea2c6ecc8dc9ed4b31073c573c3eaba9d3190629ecc8d5bf6861edb2dfcac
                                                  • Opcode Fuzzy Hash: 986803221d92b284a1ced20c5c8d8ce2802ba8e88640f4ae639c33b509c4433e
                                                  • Instruction Fuzzy Hash: CF32AF6040C7C4C9E332C7688848BDBBFD66BA6748F08499DE2CC4B282C7BA5558C777
                                                  Function 10005D20 Relevance: 206.9, APIs: 24, Strings: 94, Instructions: 416libraryloaderstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 10005D3C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D45
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,GetPrivateProfileSectionNamesA), ref: 10005D55
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D58
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetPrivateProfileStringA), ref: 10005D6B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D6E
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 10005D81
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D84
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 10005D94
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005D97
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 10005DA7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005DAA
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 10005DBD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005DC0
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcmpA), ref: 10005DD3
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005DD6
                                                  • strchr.MSVCRT ref: 100060F0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 10006131
                                                  • wsprintfA.USER32 ref: 10006151
                                                  • #823.MFC42(00001000), ref: 100061B3
                                                  • #825.MFC42(?,?,?,00000000,?,?,00000000,?,?), ref: 1000638B
                                                  • #825.MFC42(00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10006391
                                                  • #825.MFC42(00000000,00000000,?,?,?,00000000,?,?,00000000,?,?), ref: 10006397
                                                  • #825.MFC42(00000000), ref: 100063DD
                                                    • Part of subcall function 10005A50: LoadLibraryA.KERNEL32 ref: 10005AA7
                                                    • Part of subcall function 10005A50: GetProcAddress.KERNEL32(00000000), ref: 10005AAE
                                                    • Part of subcall function 10005A50: wsprintfA.USER32 ref: 10005B17
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$#825$wsprintf$#823FolderPathSpecialstrchr
                                                  • String ID: $ $ $%s\%s$.$.$C$C$D$D$Device$DialParamsUID$GetPrivateProfileSectionNamesA$GetPrivateProfileStringA$GetVersionExA$GetWindowsDirectoryA$KERNEL32.dll$M$M$N$N$PhoneNumber$S$a$a$a$a$a$a$b$b$b$b$c$c$c$c$c$c$d$e$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$i$i$i$k$k$k$k$k$k$kernel32.dll$lstrcatA$lstrcmpA$lstrcpyA$lstrlenA$m$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$u$w$w
                                                  • API String ID: 2391671045-4160613188
                                                  • Opcode ID: eca479f0cba930ca087138913895d5de84e08072406ba3e1e92d2a47810035d3
                                                  • Instruction ID: ae3809650b471314dde33fff758c838472e2731737b5b0f95b3dee6920cb3e1a
                                                  • Opcode Fuzzy Hash: eca479f0cba930ca087138913895d5de84e08072406ba3e1e92d2a47810035d3
                                                  • Instruction Fuzzy Hash: 77120A6150D3C4DEE322CB788848B9BBFD5AFE6748F08494DE1C847292C6BA9548C777
                                                  Function 10005440 Relevance: 180.5, APIs: 15, Strings: 88, Instructions: 262libraryloaderstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 10005461
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000546A
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,GetPrivateProfileSectionNamesA), ref: 10005478
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000547B
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 1000548E
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005491
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 100054A1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100054A4
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 100054B7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100054BA
                                                  • strchr.MSVCRT ref: 100057B9
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 100057F6
                                                  • wsprintfA.USER32 ref: 10005816
                                                  • #823.MFC42(00001000), ref: 1000583D
                                                  • #825.MFC42(00000000), ref: 1000589B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$#823#825FolderPathSpecialstrchrwsprintf
                                                  • String ID: $ $ $%s\%s$.$.$C$C$D$D$GetPrivateProfileSectionNamesA$GetWindowsDirectoryA$KERNEL32.dll$M$M$N$N$S$a$a$a$a$a$a$b$b$b$b$c$c$c$c$c$c$d$e$e$e$e$e$e$e$e$f$f$g$h$h$i$i$i$i$i$i$k$k$k$k$k$k$kernel32.dll$lstrcatA$lstrcpyA$lstrlenA$m$p$p$p$p$p$p$r$r$r$r$r$r$s$s$s$s$s$s$s$s$u$w$w
                                                  • API String ID: 1413152188-1163569440
                                                  • Opcode ID: 6b0de1d9b4d272058180ea5e85739ea82220ea56e8af9adbbb86897ae75e66d6
                                                  • Instruction ID: 0562570b42432492150a784315d896445768f268a1e3393a75b37121b429ab9d
                                                  • Opcode Fuzzy Hash: 6b0de1d9b4d272058180ea5e85739ea82220ea56e8af9adbbb86897ae75e66d6
                                                  • Instruction Fuzzy Hash: E4D1B26140D7C0DDE322C778849878BBFD66FA2748F08498DE1C84B293C6BA9658C777
                                                  Function 1001ACA0 Relevance: 164.8, APIs: 7, Strings: 87, Instructions: 319COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleLibraryLoadModuleProc
                                                  • String ID: .$.$.$.$:$A$AOr$C$E$F$H$I$I$I$I$I$I$I$O$O$R$T$U$W$a$a$a$a$at.$b$c$d$d$d$g$i$i$i$l$l$l$l$l$l$l$l$m$n$n$n$n$n$n$n$n$n$n$n$n$o$o$p$p$p$p$p$p$p$r$r$r$r$r$t$t$t$t$t$t$t$t$t$t$t$t$t$t
                                                  • API String ID: 310444273-3809768815
                                                  • Opcode ID: 63e450fb999bb24abaee570fbd4232a6528e175d703855afcbb30a5378cb40b5
                                                  • Instruction ID: 4c56c63e57b0a57d431be2d6ff2093808df29b32732bb1a27d8720569643267d
                                                  • Opcode Fuzzy Hash: 63e450fb999bb24abaee570fbd4232a6528e175d703855afcbb30a5378cb40b5
                                                  • Instruction Fuzzy Hash: E9E1E42150D3C0DDE332C238844879FBFD65BA2648F48499DE5C84B293C7BA9558D77B
                                                  Function 1001EA60 Relevance: 126.3, APIs: 6, Strings: 66, Instructions: 323threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,774C83C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001ED7E
                                                  • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 1001EDBD
                                                  • GetCurrentProcess.KERNEL32 ref: 1001EEEB
                                                  • GetCurrentThread.KERNEL32 ref: 1001EEF2
                                                  • GetCurrentProcess.KERNEL32(00000020), ref: 1001EF67
                                                  • GetCurrentThread.KERNEL32 ref: 1001EF6E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Current$ModuleProcessThread$AddressEnvironmentFileHandleLibraryLoadNameProcVariable
                                                  • String ID: /c ping -n 2 127.0.0.1 > nul && del $ > nul$.$2$3$A$A$A$A$COMSPEC$D$F$K$L$N$P$P$R$R$S$T$T$a$a$a$b$c$d$d$d$h$h$i$i$i$i$l$l$l$m$m$o$o$r$r$r$r$r$r$r$s$s$s$s$s$s$t$t$t$t$t$t$t$u$u$y
                                                  • API String ID: 2038349478-1119942076
                                                  • Opcode ID: 490859674d05f5fa8cf34ac90298807cd5a94b9c9337227081a1d025c53f5c08
                                                  • Instruction ID: bbed58369666b1c2bd5cd146773a1f73191dac64ed8760fac5291f00d2832cff
                                                  • Opcode Fuzzy Hash: 490859674d05f5fa8cf34ac90298807cd5a94b9c9337227081a1d025c53f5c08
                                                  • Instruction Fuzzy Hash: 15E1292150C7C089E326C6788449B9FFFD56BE2748F084A5DE2D84B2D2CAFA9548C777
                                                  Function 10024BE0 Relevance: 114.1, APIs: 19, Strings: 46, Instructions: 328stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • LocalAlloc.KERNEL32(00000040,00000400), ref: 10024C06
                                                  • WTSEnumerateSessionsA.WTSAPI32 ref: 10024C3B
                                                  • GetVersionExA.KERNEL32(?), ref: 10024C53
                                                    • Part of subcall function 10024A90: WTSQuerySessionInformationW.WTSAPI32 ref: 10024AB4
                                                    • Part of subcall function 10024A50: WTSQuerySessionInformationA.WTSAPI32(00000000,?,0000000A,?,?,10024ED1,?,?,?), ref: 10024A6F
                                                    • Part of subcall function 10024B40: WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B60
                                                    • Part of subcall function 10024B40: WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B80
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F03
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F25
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F31
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F3A
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F46
                                                  • LocalSize.KERNEL32(00000000), ref: 10024F54
                                                  • LocalReAlloc.KERNEL32(00000000,00000000,00000042,?,?,?,?), ref: 10024F62
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F73
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024F91
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024FA7
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024FCF
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10024FE5
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 10025006
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 1002501C
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 1002503D
                                                  • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 100250A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Local$AllocInformationQuerySession$Process$CurrentEnumerateFreeMemoryOpenSessionsSizeTokenVersion
                                                  • String ID: AtR$C$C$D$D$I$I$LoSvAtR$Q$RDI$SeDebugPrivilege$SvAtR$c$c$c$c$d$d$d$i$i$i$l$n$n$n$n$n$n$n$n$o$o$o$o$r$s$t$t$t$t$u$v$w$w$y
                                                  • API String ID: 3275454331-1820797497
                                                  • Opcode ID: f5624e6b6a617209da6a5c80ef3033c770dc07205c0af6250f8b0743bed6d2d5
                                                  • Instruction ID: b1de97bb1e532192dcc96ff274dd48cc58c084c44de882cac167928afb279602
                                                  • Opcode Fuzzy Hash: f5624e6b6a617209da6a5c80ef3033c770dc07205c0af6250f8b0743bed6d2d5
                                                  • Instruction Fuzzy Hash: 83E1053050C3C1CEE325CB28C484B9FBBE1AB96708F48495DE5C857352DBBA9909CB67
                                                  Function 10026A30 Relevance: 96.4, APIs: 1, Strings: 54, Instructions: 109processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Exec
                                                  • String ID: &$&$&$&$/$/$1$2$3$4$5$6$:$a$a$a$a$a$c$c$d$d$d$g$g$g$g$i$i$i$l$l$m$n$n$n$n$o$o$o$p$r$r$r$r$r$u$u$u$u$u$u$v$y
                                                  • API String ID: 459137531-3041118241
                                                  • Opcode ID: b22cca66343ad3003d2291dea90512d45e7e4697c411a4a85f85a143834da450
                                                  • Instruction ID: 7bc06bb267aba25a745494efeaf4f4d644bd4b710169c1d4aeb2a62eee067a6f
                                                  • Opcode Fuzzy Hash: b22cca66343ad3003d2291dea90512d45e7e4697c411a4a85f85a143834da450
                                                  • Instruction Fuzzy Hash: 08510C2554E3C1DDE312C668918878FEFD21FB7648E48598DB1C81B393C2AA825CC777
                                                  Function 1000FBF0 Relevance: 93.0, APIs: 13, Strings: 40, Instructions: 217libraryloaderfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1000FC8C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000FC95
                                                  • LoadLibraryA.KERNEL32(?,.23L), ref: 1000FCDE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000FCE1
                                                  • GetTickCount.KERNEL32 ref: 1000FD3E
                                                  • sprintf.MSVCRT ref: 1000FD4F
                                                  • GetTickCount.KERNEL32 ref: 1000FD8C
                                                  • sprintf.MSVCRT ref: 1000FD9D
                                                  • lstrcatA.KERNEL32(?,?), ref: 1000FDB3
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000FE19
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000FE20
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressCountLibraryLoadProcTicksprintf$CloseFileHandleWritelstrcat
                                                  • String ID: .$.23L$2$3$A$A$C$F$G$K$L$N$P$P$R$T$a$a$d$e$e$e$e$e$e$g$h$i$igu$m$n$o$p$p$r$s$t$t$t$u
                                                  • API String ID: 3729143920-1829843242
                                                  • Opcode ID: be69d7072731297b0b3e170cd7eb9345f74aa06f0dd775d95f5218c24336af5c
                                                  • Instruction ID: d6333924631afeb965d673ddae39e8c487648ef1f7016fef5eba0a33fe2752c1
                                                  • Opcode Fuzzy Hash: be69d7072731297b0b3e170cd7eb9345f74aa06f0dd775d95f5218c24336af5c
                                                  • Instruction Fuzzy Hash: 96916C3110C3C09AE312CB68D848B9BBFD5ABA6718F084A5DF6D4462D2D7BA950CC773
                                                  Function 10013B40 Relevance: 91.5, APIs: 38, Strings: 14, Instructions: 472networkstringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strstr.MSVCRT ref: 10013BB7
                                                  • strstr.MSVCRT ref: 10013BCA
                                                  • strstr.MSVCRT ref: 10013BDF
                                                  • strncpy.MSVCRT ref: 10013C2B
                                                  • _itoa.MSVCRT ref: 10013C71
                                                  • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10013C8A
                                                  • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 10013CB0
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013CBD
                                                  • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 10013CED
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D00
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D03
                                                  • sprintf.MSVCRT ref: 10013D2E
                                                  • HttpSendRequestA.WININET(00000000,?,?,?), ref: 10013D66
                                                  • HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 10013D82
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D93
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D96
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013D99
                                                  • atol.MSVCRT ref: 10013DB2
                                                  • #823.MFC42(00000001,?,?), ref: 10013DC0
                                                  • InternetReadFile.WININET(00000000,00000000,00000001,?), ref: 10013DE8
                                                  • #825.MFC42(00000000), ref: 10013DF3
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013E02
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013E05
                                                  • InternetCloseHandle.WININET(?), ref: 10013E0C
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013E24
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013E27
                                                  • InternetCloseHandle.WININET(?), ref: 10013E2E
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 10013E3E
                                                  • #823.MFC42(00000002), ref: 10013E4B
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 10013E75
                                                  • #825.MFC42(00000000), ref: 10013E7C
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013E93
                                                  • #823.MFC42(00000001), ref: 10013E9F
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013ECA
                                                  • #825.MFC42(00000000), ref: 10013ED1
                                                  • #825.MFC42(00000000,00000000,00000000), ref: 10013EDF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandle$#825ByteCharMultiWide$#823Httpstrstr$OpenRequest$ConnectFileInfoQueryReadSend_itoaatolsprintfstrncpy
                                                  • String ID: $/cgi-bin/qun_mgr/get_group_list$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$bkn=$create$gc=%u&st=0&end=1999&sort=0&%s$gmr$join$p_skey$qun.qq.com$skey=
                                                  • API String ID: 3684279964-3639289013
                                                  • Opcode ID: 990525e5488a96e8453cdc46b1721a0efc440dc8632db5c924d2235e82eb403e
                                                  • Instruction ID: faa93913a6112bf75685c4331b660b6eedd4284dd9d5a7e5e4bfb64d0fa1d1b7
                                                  • Opcode Fuzzy Hash: 990525e5488a96e8453cdc46b1721a0efc440dc8632db5c924d2235e82eb403e
                                                  • Instruction Fuzzy Hash: 97D14876A043142BE310DA689C81FAB77DDEB84760F05463DFB09A72C1EB74ED0587A6
                                                  Function 10007A80 Relevance: 91.4, APIs: 50, Strings: 2, Instructions: 423windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #356.MFC42 ref: 10007AA2
                                                  • #540.MFC42 ref: 10007AB6
                                                  • #540.MFC42 ref: 10007AC7
                                                  • #540.MFC42 ref: 10007AD8
                                                  • #540.MFC42 ref: 10007AE9
                                                    • Part of subcall function 10008080: #2614.MFC42(?,?,10007AFF), ref: 10008084
                                                    • Part of subcall function 10008080: #860.MFC42(*.*,?,?,10007AFF), ref: 10008091
                                                    • Part of subcall function 10008080: #3811.MFC42(?,*.*,?,?,10007AFF), ref: 100080B2
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,*.*,?,?,10007AFF), ref: 100080C1
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,?,*.*,?,?,10007AFF), ref: 100080D0
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,*.*,?,?,10007AFF), ref: 100080DF
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080EE
                                                    • Part of subcall function 10008080: #3811.MFC42(?,?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080FD
                                                    • Part of subcall function 10011E20: #537.MFC42(?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E47
                                                    • Part of subcall function 10011E20: #940.MFC42(?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E7E
                                                    • Part of subcall function 10011E20: #535.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E8F
                                                    • Part of subcall function 10011E20: #800.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011EA5
                                                  • #858.MFC42 ref: 10007B2F
                                                  • #800.MFC42 ref: 10007B40
                                                  • #537.MFC42(*.*), ref: 10007B59
                                                  • #922.MFC42(?,?,00000000,*.*), ref: 10007B6E
                                                  • #858.MFC42(00000000,?,?,00000000,*.*), ref: 10007B80
                                                  • #800.MFC42(00000000,?,?,00000000,*.*), ref: 10007B90
                                                  • #800.MFC42(00000000,?,?,00000000,*.*), ref: 10007BA1
                                                  • #2770.MFC42(?,00000000,00000000,?,?,00000000,*.*), ref: 10007BB1
                                                  • #2781.MFC42(?,00000000,00000000,?,?,00000000,*.*), ref: 10007BCF
                                                  • #4058.MFC42 ref: 10007BEF
                                                  • #858.MFC42(?), ref: 10007C01
                                                  • #858.MFC42(?,?), ref: 10007C0E
                                                  • #858.MFC42(?,?,?), ref: 10007C1B
                                                  • #3178.MFC42(?,?,?,?), ref: 10007C8A
                                                  • #922.MFC42(?,?,00000000,?,?,?,?), ref: 10007C9D
                                                  • #858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CAF
                                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CBF
                                                  • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 10007CD0
                                                  • #1980.MFC42 ref: 10007CED
                                                  • #858.MFC42(?), ref: 10007CF6
                                                  • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 10007D1E
                                                  • #922.MFC42(?,?,?), ref: 10007D2E
                                                  • #858.MFC42(00000000,?,?,?), ref: 10007D40
                                                  • #800.MFC42(00000000,?,?,?), ref: 10007D51
                                                  • #2770.MFC42(?,00000000,00000000,?,?,?), ref: 10007D61
                                                  • #2781.MFC42(?,00000000,00000000,?,?,?), ref: 10007D7F
                                                  • #4058.MFC42(?,00000000,00000000,?,?,?), ref: 10007D8C
                                                  • #4215.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007DAD
                                                  • #3324.MFC42(?,00000000,00000000,?,?,?), ref: 10007DC6
                                                  • #3324.MFC42(?,00000000,00000000,?,?,?), ref: 10007DE7
                                                  • #3310.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007E22
                                                  • #3010.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007E7F
                                                  • #3304.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007ED4
                                                  • #3181.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007F33
                                                  • #800.MFC42(?,?,?,?,00000000,00000000,?,?,?), ref: 10007F58
                                                  • #3181.MFC42(?,?,00000000,00000000,?,?,?), ref: 10007F6A
                                                  • #941.MFC42(100FA614), ref: 10007F91
                                                  • #6883.MFC42(?,?), ref: 10007FA2
                                                  • #800.MFC42(?,?), ref: 10007FB3
                                                  • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 10007FE1
                                                  • #800.MFC42 ref: 10008015
                                                  • #800.MFC42 ref: 10008026
                                                  • #800.MFC42 ref: 10008037
                                                  • #800.MFC42 ref: 10008048
                                                  • #668.MFC42 ref: 1000805C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #800$#858$#3811$#540$#922$#2770#2781#3181#3324#4058#537Message$#1980#2614#3010#3178#3304#3310#356#4215#535#668#6883#860#940#941
                                                  • String ID: *.*$warning
                                                  • API String ID: 3130606840-3923866357
                                                  • Opcode ID: 251ad2f11a4f3d366ba395f991fd5f89db86f2f297839ac524b49303de88fe60
                                                  • Instruction ID: b1e61bf16f4b2c14380c5a5ce74a3a62fa832d31a0b46feb69f6aa117d284303
                                                  • Opcode Fuzzy Hash: 251ad2f11a4f3d366ba395f991fd5f89db86f2f297839ac524b49303de88fe60
                                                  • Instruction Fuzzy Hash: 42027F745083858BD354CF64C941FABBBE5FF98684F40492CF9DA43296EB34E909CB62
                                                  Function 1000E300 Relevance: 85.9, APIs: 9, Strings: 40, Instructions: 163libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$Eventfreemalloc
                                                  • String ID: .$0$2$3$A$A$C$D$G$K$L$N$P$P$R$S$T$W$\$a$a$a$c$d$f$h$i$l$l$l$m$n$o$p$t$t$t$t$t$u
                                                  • API String ID: 4197004350-898277365
                                                  • Opcode ID: 2c3a0603530f328a27061e7ef2e005e9cbed302183f30dfe61a54d0479010bab
                                                  • Instruction ID: 602051e4c15d0ae263632009933f159da553bc9aa47493433fa8a4b6ec865501
                                                  • Opcode Fuzzy Hash: 2c3a0603530f328a27061e7ef2e005e9cbed302183f30dfe61a54d0479010bab
                                                  • Instruction Fuzzy Hash: 2361596110C3C0DDE312D7A89848B8BBFD59BE6308F08499DF5C84B292C6BA9218C777
                                                  Function 10021B30 Relevance: 84.3, APIs: 24, Strings: 24, Instructions: 279libraryloadersleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32 ref: 10021B6B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021B78
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateThread), ref: 10021B8C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021B8F
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,?), ref: 10021BDB
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021BDE
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,esolC), ref: 10021C52
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021C55
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,TerminateProcess), ref: 10021C65
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021C68
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,DisconnectNamedPipe), ref: 10021C78
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021C7B
                                                  • Sleep.KERNEL32(0000000A), ref: 10021C92
                                                  • GetConsoleProcessList.KERNEL32(?,00000001), ref: 10021CB2
                                                  • #823.MFC42 ref: 10021CC3
                                                  • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 10021CD3
                                                  • GetCurrentProcessId.KERNEL32 ref: 10021CE7
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10021CFE
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 10021D09
                                                  • CloseHandle.KERNEL32(00000000), ref: 10021D10
                                                  • #825.MFC42(00000000), ref: 10021D29
                                                  • FreeConsole.KERNEL32 ref: 10021D3B
                                                  • Sleep.KERNEL32(0000000A), ref: 10021D43
                                                  • FreeConsole.KERNEL32 ref: 10021D49
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoadProcess$Console$FreeHandleListSleep$#823#825CloseCurrentModuleOpenTerminate
                                                  • String ID: AttachConsole$C$DisconnectNamedPipe$F$KERNEL32.dll$S$TerminateProcess$TerminateThread$W$a$c$e$e$elgn$esolC$g$l$l$l$n$o$o$r$s
                                                  • API String ID: 708691324-3966567685
                                                  • Opcode ID: 62a8ec905f88b91a11ae1cd4da243d0e53f22201e0d1d22e539312b09ba5d90b
                                                  • Instruction ID: cf1f5277686905855bd25b190fa0d761f5aaa359cd9de27ddd2c5b13a96cf28f
                                                  • Opcode Fuzzy Hash: 62a8ec905f88b91a11ae1cd4da243d0e53f22201e0d1d22e539312b09ba5d90b
                                                  • Instruction Fuzzy Hash: BFB1B0746083949BDB20DF68CC84BDFBBE9AF95740F45481DF9889B241C7B5E904CBA2
                                                  Function 100134A0 Relevance: 80.8, APIs: 36, Strings: 10, Instructions: 348networkstringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strstr.MSVCRT ref: 10013514
                                                  • strstr.MSVCRT ref: 10013527
                                                  • strstr.MSVCRT ref: 1001353C
                                                  • strncpy.MSVCRT ref: 10013588
                                                  • _itoa.MSVCRT ref: 100135CE
                                                  • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 100135E7
                                                  • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1001360D
                                                  • InternetCloseHandle.WININET(00000000), ref: 1001361A
                                                  • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 1001364A
                                                  • InternetCloseHandle.WININET(00000000), ref: 1001365D
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013660
                                                  • sprintf.MSVCRT ref: 1001368B
                                                  • HttpSendRequestA.WININET(00000000,?,?,?), ref: 100136C3
                                                  • HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 100136DF
                                                  • InternetCloseHandle.WININET(00000000), ref: 100136F0
                                                  • InternetCloseHandle.WININET(00000000), ref: 100136F3
                                                  • InternetCloseHandle.WININET(00000000), ref: 100136F6
                                                  • atol.MSVCRT ref: 1001370F
                                                  • #823.MFC42(00000001,?,?), ref: 1001371D
                                                  • InternetReadFile.WININET(00000000,00000000,00000001,?), ref: 10013745
                                                  • #825.MFC42(00000000), ref: 10013750
                                                  • InternetCloseHandle.WININET(00000000), ref: 1001375F
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013762
                                                  • InternetCloseHandle.WININET(?), ref: 10013769
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013781
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013784
                                                  • InternetCloseHandle.WININET(?), ref: 1001378B
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 1001379B
                                                  • #823.MFC42(00000002), ref: 100137A8
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 100137D2
                                                  • #825.MFC42(00000000), ref: 100137D9
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 100137F0
                                                  • #823.MFC42(00000001), ref: 100137FC
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10013827
                                                  • #825.MFC42(00000000), ref: 1001382E
                                                  • #825.MFC42(00000000,00000000,00000000), ref: 1001383C
                                                  Strings
                                                  • , xrefs: 10013503
                                                  • POST, xrefs: 10013644
                                                  • /cgi-bin/qun_mgr/get_friend_list, xrefs: 100134DB
                                                  • qun.qq.com, xrefs: 100134BB
                                                  • Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 10013685
                                                  • bkn=, xrefs: 1001354D
                                                  • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 100134AF
                                                  • HTTP/1.1, xrefs: 1001363E
                                                  • skey=, xrefs: 10013521
                                                  • p_skey, xrefs: 100134FD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandle$#825ByteCharMultiWide$#823Httpstrstr$OpenRequest$ConnectFileInfoQueryReadSend_itoaatolsprintfstrncpy
                                                  • String ID: $/cgi-bin/qun_mgr/get_friend_list$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$bkn=$p_skey$qun.qq.com$skey=
                                                  • API String ID: 3684279964-1003693118
                                                  • Opcode ID: 83a2f2817c2aedd7fbe9857ede55100449b32c6472bc6b786a787f71fcc3d649
                                                  • Instruction ID: a6aeb5833008578cdead13e838f5760d2c554c937ea3091131f56ecc18512e5b
                                                  • Opcode Fuzzy Hash: 83a2f2817c2aedd7fbe9857ede55100449b32c6472bc6b786a787f71fcc3d649
                                                  • Instruction Fuzzy Hash: 4FA137726003146BE314DA788C41FAB7BDDFBC4320F044629FA59E72C0DEB4A9058B95
                                                  Function 10008600 Relevance: 79.0, APIs: 2, Strings: 43, Instructions: 223fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,774C83C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • DeleteFileA.KERNEL32(00000001,?,00000001,00000001,?,00000001,00000001,00000001), ref: 1000874C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressDeleteFileHandleLibraryLoadModuleProc
                                                  • String ID: .$2$3$4$4$6$6$E$E$F$K$L$N$R$R$R$R$W$W$a$c$d$d$i$i$i$l$l$n$n$o$o$o$open$r$r$r$s$t$t$v$w$w
                                                  • API String ID: 357481036-173339048
                                                  • Opcode ID: b35eb0abf191cff89a94c78c48ed883a63f7157c3257380d681e420933c49f90
                                                  • Instruction ID: b2534d6be5788ef259c749724872d3f87395c9b78c17d96c33da540c7ee2e7e0
                                                  • Opcode Fuzzy Hash: b35eb0abf191cff89a94c78c48ed883a63f7157c3257380d681e420933c49f90
                                                  • Instruction Fuzzy Hash: 5B91291010C3C0D9E356C668848871FBED6ABA668CF48598DB1C95B287C6BF961CC77B
                                                  Function 10022070 Relevance: 70.3, APIs: 34, Strings: 6, Instructions: 329librarysleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(KERNEL32.dll,AttachConsole), ref: 10022086
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10022093
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,WriteFile), ref: 100220A1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100220A8
                                                  • Sleep.KERNEL32(0000000A), ref: 100220F7
                                                  • GetConsoleProcessList.KERNEL32(?,00000001), ref: 10022117
                                                  • #823.MFC42 ref: 1002212C
                                                  • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1002213C
                                                  • GetCurrentProcessId.KERNEL32 ref: 1002215C
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 10022173
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 10022182
                                                  • CloseHandle.KERNEL32(00000000), ref: 10022185
                                                  • #825.MFC42(00000000), ref: 100221B0
                                                  • FreeConsole.KERNEL32 ref: 100221BE
                                                  • Sleep.KERNEL32(0000000A), ref: 100221C6
                                                  • FreeConsole.KERNEL32 ref: 100221CC
                                                    • Part of subcall function 10010BA0: SetEvent.KERNEL32(?,10017547), ref: 10010BA4
                                                  • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1002233F
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 10022383
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 100223A7
                                                  • CloseHandle.KERNEL32(00000000), ref: 100223B2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$Console$Handle$AddressCloseFileFreeListProcSleep$#823#825CreateCurrentDirectoryEventLibraryLoadModuleOpenSystemTerminateWrite
                                                  • String ID: AttachConsole$Control-C^C$GetMP privilege::debug sekurlsa::logonpasswords exit$KERNEL32.dll$WriteFile$\GetMP.exe
                                                  • API String ID: 1461520672-3309419308
                                                  • Opcode ID: ca400952289ac4a71aaecc90c8329902c0f6e1411d59f4cd10b051cf28bc4547
                                                  • Instruction ID: 8191db94a3e5b8802b66811b8cf0c2ec8646e2766794c6970eea818724010983
                                                  • Opcode Fuzzy Hash: ca400952289ac4a71aaecc90c8329902c0f6e1411d59f4cd10b051cf28bc4547
                                                  • Instruction Fuzzy Hash: 7BA12975600315ABD710EB64DC81FDB77D4FB84350F450629FE49AB280DA35EC49C7A1
                                                  Function 10013860 Relevance: 66.8, APIs: 31, Strings: 7, Instructions: 271networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenA.WININET ref: 100138CF
                                                  • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 100138F5
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013902
                                                  • HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,80084010,00000000), ref: 10013932
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013945
                                                  • InternetCloseHandle.WININET(00000000), ref: 10013948
                                                  Strings
                                                  • POST, xrefs: 1001392C
                                                  • qun.qq.com, xrefs: 10013878
                                                  • Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s, xrefs: 1001396D
                                                  • Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), xrefs: 1001386F
                                                  • , xrefs: 100138BC
                                                  • HTTP/1.1, xrefs: 10013926
                                                  • /cgi-bin/qun_mgr/search_group_members, xrefs: 10013898
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandle$Open$ConnectHttpRequest
                                                  • String ID: $/cgi-bin/qun_mgr/search_group_members$Accept: */*Referer: http://qun.qq.com%sAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedCookie: %s$HTTP/1.1$Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)$POST$qun.qq.com
                                                  • API String ID: 3078302290-2376693140
                                                  • Opcode ID: 492e52c6053871d090237183561d3215cecf92edc6964bc9b14581eaf8abf60b
                                                  • Instruction ID: ea8ef1183b0b68027489ada680c689866708b7ee025198ed557c1e0327d219cf
                                                  • Opcode Fuzzy Hash: 492e52c6053871d090237183561d3215cecf92edc6964bc9b14581eaf8abf60b
                                                  • Instruction Fuzzy Hash: 197119366447147BF310EB689C45FAB77DDFB84720F184629F749A72C0DAB4A9048BA2
                                                  Function 1002C150 Relevance: 64.9, APIs: 12, Strings: 25, Instructions: 154libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1002C1EF
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002C1F8
                                                  • LoadLibraryA.KERNEL32(wininet.dll,InternetCloseHandle), ref: 1002C226
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002C229
                                                  • LoadLibraryA.KERNEL32(wininet.dll,InternetOpenUrlA), ref: 1002C239
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002C23C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: $($)$.$/$0$4$CreateFileA$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$KERNEL32.dll$M$WININET.dll$b$c$e$m$o$o$p$t$wininet.dll$z
                                                  • API String ID: 2574300362-3884860928
                                                  • Opcode ID: 224e0dd4ab928927df822a2dffbfbb36cb07a03d3d7564adca7cfc7b82793162
                                                  • Instruction ID: c0abc2066aebf88cc998d4edd2297434545a44ab64bdfcc632aab4ed3093ae44
                                                  • Opcode Fuzzy Hash: 224e0dd4ab928927df822a2dffbfbb36cb07a03d3d7564adca7cfc7b82793162
                                                  • Instruction Fuzzy Hash: DC51927110C3C4AEE311EBA89C84B9FBFD99BD5248F444A1DF28857282C679D6088777
                                                  Function 1001DE40 Relevance: 64.9, APIs: 2, Strings: 35, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,774C83C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • GetVersionExA.KERNEL32(?), ref: 1001DF7B
                                                    • Part of subcall function 1001AC50: LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                    • Part of subcall function 1001AC50: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                    • Part of subcall function 1001AC50: FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                  • ExitProcess.KERNEL32 ref: 1001E015
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressLoadProc$ExitFreeHandleModuleProcessVersion
                                                  • String ID: .$.$2$2$3$3$D$I$L$P$S$S$S$S$V$a$c$d$d$e$e$e$e$e$i$l$l$l$l$n$r$s$u$v$v
                                                  • API String ID: 1234256494-3470857448
                                                  • Opcode ID: 36da317328d6cc26efa9d1f20eee9a63af9a5724958b8fbcc2c9a88dd00b065d
                                                  • Instruction ID: faf3d8cbad892df49821192e38232370f2f3dc0b53dba95cfad8dee6dbcf8161
                                                  • Opcode Fuzzy Hash: 36da317328d6cc26efa9d1f20eee9a63af9a5724958b8fbcc2c9a88dd00b065d
                                                  • Instruction Fuzzy Hash: E651292140C3C1DDE312D7688898B5FBFE55BA6348F48499EF1C94A282C2BAC65CC777
                                                  Function 1000FED0 Relevance: 63.3, APIs: 33, Strings: 3, Instructions: 251servicesleepprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AttachConsole.KERNEL32(?), ref: 1000FEF3
                                                  • Sleep.KERNEL32(0000000A), ref: 1000FEFB
                                                  • AttachConsole.KERNEL32(?), ref: 1000FF05
                                                  • GetConsoleProcessList.KERNEL32(?,00000001), ref: 1000FF18
                                                  • #823.MFC42(00000000), ref: 1000FF29
                                                  • GetConsoleProcessList.KERNEL32(00000000,00000000), ref: 1000FF39
                                                  • GetCurrentProcessId.KERNEL32 ref: 1000FF43
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 1000FF57
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000FF66
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000FF6D
                                                  • #825.MFC42(00000000), ref: 1000FF7E
                                                  • FreeConsole.KERNEL32 ref: 1000FF8C
                                                  • Sleep.KERNEL32(0000000A), ref: 1000FF94
                                                  • FreeConsole.KERNEL32 ref: 1000FF9A
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 1000FFA6
                                                  • CloseHandle.KERNEL32(?), ref: 10010006
                                                  • CloseHandle.KERNEL32(?), ref: 1001000E
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00020000), ref: 1001002F
                                                  • OpenServiceA.ADVAPI32(00000000,1011EC82,00000010), ref: 10010043
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10010050
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 10010066
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10010077
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001007A
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10010087
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1001008A
                                                  • GetCommandLineA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 100100C8
                                                  • CreateProcessA.KERNEL32(00000000,00000000), ref: 100100D1
                                                  • CloseHandle.KERNEL32(?), ref: 100100E4
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 100100FB
                                                  • CreateProcessA.KERNEL32 ref: 1001016C
                                                  • CloseHandle.KERNEL32(?), ref: 1001017F
                                                  • CloseHandle.KERNEL32(?), ref: 10010186
                                                  • ExitProcess.KERNEL32 ref: 1001018A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$Process$Service$Console$Open$AttachCreateFreeListSleepTerminate$#823#825CommandCurrentExitFileLineManagerModuleNameStart
                                                  • String ID: -inst$D$D
                                                  • API String ID: 2444995177-2453324352
                                                  • Opcode ID: f54e4074660f88b0bdae5fe990c320869930c9d88aaffbbe3879b9626df7e8b0
                                                  • Instruction ID: 98985605fcc703f9fdbef281bb8341be8c015c81e6291aeb734cef0fa070c5c2
                                                  • Opcode Fuzzy Hash: f54e4074660f88b0bdae5fe990c320869930c9d88aaffbbe3879b9626df7e8b0
                                                  • Instruction Fuzzy Hash: 9C81C271600316ABE700EB64CC84B7B77E9FF88790F054A2DFA4997694DB74EC018BA5
                                                  Function 10011AF0 Relevance: 61.5, APIs: 34, Strings: 1, Instructions: 238COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #535.MFC42(00000030,00000002,00000000,?,00000000), ref: 10011B2F
                                                  • #540.MFC42 ref: 10011B40
                                                  • #540.MFC42 ref: 10011B4E
                                                  • #6282.MFC42 ref: 10011B69
                                                  • #6283.MFC42 ref: 10011B72
                                                  • #941.MFC42(100FA644), ref: 10011B80
                                                  • #2784.MFC42(100FB4F0,100FA644), ref: 10011B8E
                                                  • #6662.MFC42(00000022,00000001,100FB4F0,100FA644), ref: 10011BB7
                                                  • #4278.MFC42(00000030,00000001,00000000,00000022,00000001,100FB4F0,100FA644), ref: 10011BD6
                                                  • #858.MFC42(00000000,00000030,00000001,00000000,00000022,00000001,100FB4F0,100FA644), ref: 10011BE5
                                                  • #4129.MFC42(?,00000000,100FB4F0,100FA644), ref: 10011C8B
                                                  • #858.MFC42(00000000,?,00000000,100FB4F0,100FA644), ref: 10011C98
                                                  • #800.MFC42(00000000,?,00000000,100FB4F0,100FA644), ref: 10011CA6
                                                  • #535.MFC42(?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011CC2
                                                  • #858.MFC42(00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011CFA
                                                  • #858.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D07
                                                  • #2614.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D10
                                                  • #2614.MFC42(00000022,00000022,?,000000FF,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D19
                                                  • #5710.MFC42(?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D32
                                                  • #858.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D41
                                                  • #800.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D4F
                                                  • #6282.MFC42(00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D58
                                                  • #2784.MFC42(100FB4F0,00000000,?,?,00000000,?,00000000,100FB4F0,100FA644), ref: 10011D66
                                                  • #535.MFC42(?,?,100FB4F0,100FA644), ref: 10011D8D
                                                  • #858.MFC42(00000022,?,000000FF,?,?,100FB4F0,100FA644), ref: 10011DC5
                                                  • #858.MFC42(00000022,00000022,?,000000FF,?,?,100FB4F0,100FA644), ref: 10011DD2
                                                  • #800.MFC42(100FB4F0,100FA644), ref: 10011DE8
                                                  • #800.MFC42(100FB4F0,100FA644), ref: 10011DF6
                                                  • #800.MFC42(100FB4F0,100FA644), ref: 10011E07
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #858$#800$#535$#2614#2784#540#6282$#4129#4278#5710#6283#6662#941
                                                  • String ID: /
                                                  • API String ID: 2746067309-2043925204
                                                  • Opcode ID: 0da93068c975a70c7a6139256a48672d71f2cdb22226152c638404c253ca3162
                                                  • Instruction ID: 26f83c008789524febe6ecc07bb2f6c57f414736253c4046dad23ffb5fd3ab93
                                                  • Opcode Fuzzy Hash: 0da93068c975a70c7a6139256a48672d71f2cdb22226152c638404c253ca3162
                                                  • Instruction Fuzzy Hash: 9F91B175008385AFC344DF64D591EABF7E5EF98214F804A1CF4A657292EB30FA49CB92
                                                  Function 10001700 Relevance: 59.6, APIs: 12, Strings: 22, Instructions: 127libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001717
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001720
                                                  • LoadLibraryA.KERNEL32 ref: 10001792
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001795
                                                  • LoadLibraryA.KERNEL32(user32.dll,GetMessageA), ref: 100017A5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100017A8
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer), ref: 100017B6
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100017B9
                                                  • LoadLibraryA.KERNEL32(USER32.dll,TranslateMessage), ref: 100017C9
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100017CC
                                                  • LoadLibraryA.KERNEL32(USER32.dll,DispatchMessageA), ref: 100017DC
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100017DF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: DispatchMessageA$F$GetMessageA$KERNEL32.dll$O$S$SetEvent$TranslateMessage$USER32.dll$W$WINMM.dll$a$b$c$g$j$l$n$o$r$user32.dll$waveInAddBuffer
                                                  • API String ID: 2574300362-3155383694
                                                  • Opcode ID: 7e8f983e9651bb8cb031b777cd2917f1a46b555af6ce2a16da49d6b9aa20f874
                                                  • Instruction ID: ccfd42d412a131656b4a3d3b70f2aa919a29a5acdd925cac9141545cb71d5cde
                                                  • Opcode Fuzzy Hash: 7e8f983e9651bb8cb031b777cd2917f1a46b555af6ce2a16da49d6b9aa20f874
                                                  • Instruction Fuzzy Hash: 4341C06050C384AAE310DBB98C48B8BBFD8AFD6758F040A1DF5C497281C679D648CB77
                                                  Function 1001E800 Relevance: 55.7, APIs: 1, Strings: 36, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B660: GetModuleHandleA.KERNEL32(?,774C83C0,1001F1D6), ref: 1001B666
                                                    • Part of subcall function 1001B660: LoadLibraryA.KERNEL32(?), ref: 1001B671
                                                    • Part of subcall function 1001B660: GetProcAddress.KERNEL32(00000000,?), ref: 1001B681
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001EA4A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Handle$AddressCloseLibraryLoadModuleProc
                                                  • String ID: .$2$3$C$F$F$G$K$L$N$P$R$S$W$a$d$i$i$i$i$i$l$l$l$l$l$n$o$r$r$r$t$t$t$t$z
                                                  • API String ID: 1380958172-3142711299
                                                  • Opcode ID: 6748aa38af022bd289bb377d339d02cff14f785d1eaa90fdd08f0fe7178630b3
                                                  • Instruction ID: 946dff543b6e3595dbccf81cbd1d6d2ef272db180fb20987739b63d6b6b5eed2
                                                  • Opcode Fuzzy Hash: 6748aa38af022bd289bb377d339d02cff14f785d1eaa90fdd08f0fe7178630b3
                                                  • Instruction Fuzzy Hash: B771252114C3C0DDE342C6A88888B5FFFD55BA6748F48499DF2C85B292D2FA9548C77B
                                                  Function 10020C20 Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 257filesleepmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF,?,10021131), ref: 10020C4A
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF,?,10021131), ref: 10020C5D
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF,?,10021131), ref: 10020C7A
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020CA0
                                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(1011FA5C,00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020CDD
                                                  • CreateFileA.KERNEL32(C:\Users\Public\Documents\MM\4.txt,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000001,?,00000000), ref: 10020D06
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020D1A
                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000), ref: 10020D35
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,00000001,?,00000000), ref: 10020D51
                                                  • CloseHandle.KERNEL32(00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020D69
                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42), ref: 10020D81
                                                  • Sleep.KERNEL32(000007D0,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020D8E
                                                  • #825.MFC42(?,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020DB0
                                                  • #825.MFC42(?,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020DE3
                                                  • MessageBoxA.USER32(00000000,1011FA20,1011FA30,00000000), ref: 10020E05
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020E14
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?,00000000,?,?,?,?,?,?,00000000,10098C42,000000FF), ref: 10020E26
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$File$#825Virtual$?find@?$basic_string@AllocCloseCreateEos@?$basic_string@FreeGrow@?$basic_string@HandleMessageReadSizeSleep
                                                  • String ID: C:\Users\Public\Documents\MM\4.txt$schtasks /Query /TN MM
                                                  • API String ID: 954268177-2491561334
                                                  • Opcode ID: 09f81e51de5b4e55a1266d7cd62fa590d29f505438a05952fa1a1ebd24a1ed83
                                                  • Instruction ID: 1511acb14b0776a9426427212b465bdbe5287b54f79b6b458a66aec0f56f7bcd
                                                  • Opcode Fuzzy Hash: 09f81e51de5b4e55a1266d7cd62fa590d29f505438a05952fa1a1ebd24a1ed83
                                                  • Instruction Fuzzy Hash: 58910235A41358ABEB14CBA4DC88BEEBFB5EF19710F540258F80AB72C2C7751A41CB65
                                                  Function 100216E0 Relevance: 47.6, APIs: 11, Strings: 16, Instructions: 331libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 100109B0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DC8E,?,100FA3E4,?), ref: 100109D0
                                                    • Part of subcall function 100109B0: GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                  • LoadLibraryA.KERNEL32 ref: 1002176D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021776
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetSystemDirectoryA), ref: 10021786
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021789
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreatePipe), ref: 10021799
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002179C
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetStartupInfoA), ref: 100217AC
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100217AF
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateProcessA), ref: 100217BF
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100217C2
                                                  • WaitForInputIdle.USER32(?,000000FF), ref: 10021998
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$IdleInputWait
                                                  • String ID: C$CreatePipe$CreateProcessA$D$GetStartupInfoA$GetSystemDirectoryA$H$KERNEL32.dll$\cmd.exe$a$dnaH$n$o$s$x32$x64
                                                  • API String ID: 2019908028-49846795
                                                  • Opcode ID: 787b727bc661289807133c1063b9d4acc9804bf8458ec979d48a69283497c5c5
                                                  • Instruction ID: 7243d7f49ff90042cf3b528d89c1a58b7f94d0d6d558076c815d9af7b46647c2
                                                  • Opcode Fuzzy Hash: 787b727bc661289807133c1063b9d4acc9804bf8458ec979d48a69283497c5c5
                                                  • Instruction Fuzzy Hash: B4C19E75608384AFC724CF24C884BDBBBE5EFD9710F50492DF5899B280DB749945CB92
                                                  Function 1002AEC0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 309stringmemorycomCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32 ref: 1002AED3
                                                  • CoCreateInstance.OLE32(100B7A14,00000000,00000001,100B7A34,?), ref: 1002AEEC
                                                  • LocalAlloc.KERNEL32(00000040,00002710), ref: 1002AEFB
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002AF92
                                                  • #823.MFC42(00000000), ref: 1002AFA5
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002AFC0
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002AFDD
                                                  • #823.MFC42(00000000), ref: 1002AFED
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 1002B008
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 1002B016
                                                  • wsprintfA.USER32 ref: 1002B066
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002B070
                                                  • lstrlenA.KERNEL32(?), ref: 1002B079
                                                  • lstrlenA.KERNEL32(?), ref: 1002B082
                                                  • LocalSize.KERNEL32(?), ref: 1002B094
                                                  • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 1002B0A2
                                                  • lstrlenA.KERNEL32(?), ref: 1002B0B1
                                                  • lstrlenA.KERNEL32(?), ref: 1002B0D8
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002B0E7
                                                  • lstrlenA.KERNEL32(00000000), ref: 1002B103
                                                  • lstrlenA.KERNEL32(?), ref: 1002B116
                                                  • lstrlenA.KERNEL32(?), ref: 1002B134
                                                  • #825.MFC42(00000000), ref: 1002B17B
                                                  • #825.MFC42(?), ref: 1002B1C0
                                                  • CoUninitialize.OLE32 ref: 1002B1F5
                                                  • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 1002B203
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$ByteCharLocalMultiWide$Alloc$#823#825Time$CreateFileInitializeInstanceSizeSystemUninitializewsprintf
                                                  • String ID: %d-%d-%d %d:%d:%d
                                                  • API String ID: 1491319390-2068262593
                                                  • Opcode ID: ca39104606e9e263ee6b3015d5b3357e8264c9b4ed48bae904b8d6db7f3556e7
                                                  • Instruction ID: 83fd02d03f0fa6fad3a17c8a09bdfd58819c38f13bbe38913d1c83367bc19c56
                                                  • Opcode Fuzzy Hash: ca39104606e9e263ee6b3015d5b3357e8264c9b4ed48bae904b8d6db7f3556e7
                                                  • Instruction Fuzzy Hash: 0CA1AF75208302ABD310CF24DC91F6BB7E9EFC9710F944A2CF995A7381DA75E8098792
                                                  Function 10023710 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 250networksynchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(1012C508), ref: 1002371C
                                                  • LeaveCriticalSection.KERNEL32(1012C508), ref: 10023734
                                                  • malloc.MSVCRT ref: 1002374D
                                                  • malloc.MSVCRT ref: 10023756
                                                  • malloc.MSVCRT ref: 1002375F
                                                  • recv.WS2_32 ref: 100237C6
                                                  • send.WS2_32 ref: 10023846
                                                  • getpeername.WS2_32(?,?,?), ref: 1002387B
                                                  • inet_addr.WS2_32(00000000), ref: 10023888
                                                  • inet_addr.WS2_32(00000000), ref: 100238A2
                                                  • htons.WS2_32(?), ref: 100238AD
                                                  • send.WS2_32 ref: 100238EF
                                                  • CreateThread.KERNEL32(00000000,00000000,10023D00,?,00000000,?), ref: 1002392E
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1002393F
                                                    • Part of subcall function 100234D0: htons.WS2_32 ref: 100234F3
                                                    • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023509
                                                    • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023527
                                                    • Part of subcall function 100234D0: socket.WS2_32(00000002,00000001,00000006), ref: 10023533
                                                    • Part of subcall function 100234D0: setsockopt.WS2_32 ref: 1002355E
                                                    • Part of subcall function 100234D0: connect.WS2_32(?,?,00000010), ref: 1002356E
                                                    • Part of subcall function 100234D0: closesocket.WS2_32 ref: 1002357C
                                                  • send.WS2_32(?,?,00000008,00000000), ref: 10023990
                                                  • CreateThread.KERNEL32(00000000,00000000,10023F60,?,00000000,?), ref: 100239BD
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,00000008,00000000), ref: 100239CA
                                                    • Part of subcall function 100232C0: gethostbyname.WS2_32(?), ref: 100232C5
                                                  • closesocket.WS2_32(00000000), ref: 100239D9
                                                  • closesocket.WS2_32(?), ref: 100239DF
                                                  • free.MSVCRT ref: 100239E8
                                                  • free.MSVCRT ref: 100239EB
                                                  • free.MSVCRT ref: 100239F2
                                                  • free.MSVCRT ref: 100239F5
                                                    • Part of subcall function 10022E40: EnterCriticalSection.KERNEL32(1012C508), ref: 10022E6A
                                                    • Part of subcall function 10022E40: LeaveCriticalSection.KERNEL32(1012C508), ref: 10022E82
                                                    • Part of subcall function 10022E40: send.WS2_32(?,HTTP/1.0 200 OK,?,00000000), ref: 10022F1E
                                                    • Part of subcall function 10022E40: CreateThread.KERNEL32(00000000,00000000,10023F60,?,00000000,?), ref: 10022FBC
                                                    • Part of subcall function 10022E40: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00000000), ref: 10022FC9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSectionfreeinet_addrsend$CreateObjectSingleThreadWaitclosesocketmalloc$EnterLeavehtons$connectgethostbynamegetpeernamerecvsetsockoptsocket
                                                  • String ID: [
                                                  • API String ID: 3942976521-784033777
                                                  • Opcode ID: b64080b388e8d217343dfe969d227965d7579416a038b7c2edfdc2482ca0bb12
                                                  • Instruction ID: e8688c2d00ca7c65c9d36b22a345f6eec658f7699299d72b3e5fb85e497582c1
                                                  • Opcode Fuzzy Hash: b64080b388e8d217343dfe969d227965d7579416a038b7c2edfdc2482ca0bb12
                                                  • Instruction Fuzzy Hash: 9381F270608344AFE310DB64DC85B5BBBE8EFC9754F548A1EF58983390E7B1E8448B62
                                                  Function 10020810 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 150networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenA.WININET(DownloadApp,00000001,00000000,00000000,00000000), ref: 1002082B
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EB1A3D8,1011F9C8,?,?,1002128D,?,00000001,?,?,00000001), ref: 10020846
                                                  • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,80000000,00000000), ref: 10020871
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EB1A3D8,1011F9B8,?,?,?,1002128D,?,00000001,?,?,00000001), ref: 1002088A
                                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(00000000,?,00000001), ref: 10020894
                                                  • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,00000000,?,00000001), ref: 1002089A
                                                  • InternetCloseHandle.WININET(00000000), ref: 100208A4
                                                  • ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,00000000,?,00000001), ref: 100209B0
                                                  Strings
                                                  • DownloadApp, xrefs: 10020826
                                                  • https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt, xrefs: 1002081D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: U?$char_traits@$V?$basic_ostream@$??6std@@D@std@@@0@InternetV10@$?endl@std@@D@std@@@1@OpenV21@@$CloseD@2@@0@@D@std@@HandleV?$allocator@V?$basic_string@
                                                  • String ID: DownloadApp$https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt
                                                  • API String ID: 2470020359-224967001
                                                  • Opcode ID: ad3ce8b31274e67954fd6a37d90417a891621fb0744e36309fb1c2d0afbcec6d
                                                  • Instruction ID: 0ce6a5d251b76327a90a7f4cff9c2f8857609bfeed3971df305265b4b3698adb
                                                  • Opcode Fuzzy Hash: ad3ce8b31274e67954fd6a37d90417a891621fb0744e36309fb1c2d0afbcec6d
                                                  • Instruction Fuzzy Hash: B741E439600315BBF210EB74DC85FDB37ECFB48B51F480619FE48E6191D674A9048B65
                                                  Function 100015A0 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 132libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,774CF550), ref: 100015B9
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100015C2
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,774CF550), ref: 100015D2
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100015D5
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,774CF550), ref: 100015E5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100015E8
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,774CF550), ref: 100015F8
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100015FB
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,774CF550), ref: 10001609
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000160C
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,774CF550), ref: 1000161C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000161F
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,774CF550), ref: 1000162F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001632
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: CreateThread$KERNEL32.dll$ResumeThread$WINMM.dll$waveInAddBuffer$waveInGetNumDevs$waveInOpen$waveInPrepareHeader$waveInStart
                                                  • API String ID: 2574300362-1356117283
                                                  • Opcode ID: b16c15dad6be20392214e3733c7d2997f9670e9390d019f32002513cfd113147
                                                  • Instruction ID: 9f0f930b95cd2c35929b0060be92cf7d2e31dda6e2d7e4543e4cf746f9a0d286
                                                  • Opcode Fuzzy Hash: b16c15dad6be20392214e3733c7d2997f9670e9390d019f32002513cfd113147
                                                  • Instruction Fuzzy Hash: 97414CB5900308ABDB10EFA5DC88E9BBBA8EF89350F15095AFA4497201D739E545CBA1
                                                  Function 10002060 Relevance: 39.2, APIs: 26, Instructions: 212memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalAlloc.KERNEL32(00000040,00000100), ref: 1000206D
                                                  • GlobalLock.KERNEL32(00000000), ref: 1000208C
                                                  • GlobalFree.KERNEL32(00000000), ref: 10002099
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Global$AllocFreeLock
                                                  • String ID:
                                                  • API String ID: 1811133220-0
                                                  • Opcode ID: f61c1176c89479d409d276e9d01350cc25a0f24a23cf741e919260bfb79f58ed
                                                  • Instruction ID: eabe10a018facad977e6e685057711bf465a6e29f6a24822a84821841cd6eb76
                                                  • Opcode Fuzzy Hash: f61c1176c89479d409d276e9d01350cc25a0f24a23cf741e919260bfb79f58ed
                                                  • Instruction Fuzzy Hash: 6071B0B6610305ABD310CF54CC89F9AB3B4FF54714F569608E608AF2B1E3B4E549C7AA
                                                  Function 100211C0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 200windowfilesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _access.MSVCRT ref: 100211E6
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1002121E
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 10021244
                                                  • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt,?,?,00000001), ref: 10021276
                                                  • #825.MFC42(?,?,00000001), ref: 100212AC
                                                  • #825.MFC42(?,?,00000001), ref: 100212D9
                                                  • Sleep.KERNEL32(000000C8), ref: 100212E6
                                                  • CreateFileA.KERNEL32(C:\Users\Public\Documents\MM\7.txt,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10021301
                                                  • MessageBoxA.USER32(00000000,1011FA20,1011FA30,00000000), ref: 1002131C
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 10021328
                                                  • MessageBoxA.USER32(00000000,1011FA0C,1011FA30,00000000), ref: 10021343
                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 10021358
                                                  • MessageBoxA.USER32(00000000,1011F9FC,1011FA30,00000000), ref: 10021375
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10021384
                                                  • CloseHandle.KERNEL32(00000000), ref: 10021394
                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 100213AC
                                                  • CloseHandle.KERNEL32(00000000), ref: 100213EA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@2@@std@@D@std@@FileMessageU?$char_traits@V?$allocator@$#825CloseHandleVirtual$?assign@?$basic_string@AllocCreateEos@?$basic_string@FreeGrow@?$basic_string@ReadSizeSleepV12@_access
                                                  • String ID: C:\Users\Public\Documents\MM\7.txt$https://fs-im-kefu.7moor-fs1.com/ly/4d2c3f00-7d4c-11e5-af15-41bf63ae4ea0/1723729291433/7.txt$runas
                                                  • API String ID: 1859234541-2290419671
                                                  • Opcode ID: 12e361d48261b239f13e6d879893f6d1191c0736f83fdc4eb847e41fac599c18
                                                  • Instruction ID: 2f9edb036dcee0c91be41b9e12ec376120f99d4e37b84c17a54b99e90eac656d
                                                  • Opcode Fuzzy Hash: 12e361d48261b239f13e6d879893f6d1191c0736f83fdc4eb847e41fac599c18
                                                  • Instruction Fuzzy Hash: 42612878A05254ABD714CFA8DC49BDEBBB4FF29710F500229F909B72C0CB745A45CB64
                                                  Function 10005310 Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 110libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,FreeLibrary,?,L$_RasDefaultCredentials#0,00000000), ref: 1000532C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005335
                                                  • LoadLibraryA.KERNEL32 ref: 10005386
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005389
                                                  • LoadLibraryA.KERNEL32(?,IsValidSid), ref: 10005397
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000539A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: .23$2$3$ConvertSidToStringSidA$D$FreeLibrary$I$IsValidSid$L$_RasDefaultCredentials#0$LookupAccountNameA$P$V$kernel32.dll
                                                  • API String ID: 2574300362-2447002180
                                                  • Opcode ID: 0e49161b9a27eb155e0ea2c7e22d683dee310b1aad9c37f06d238c71156bed93
                                                  • Instruction ID: 223027d79037198c63e6ca2b5f055af27ccc184e3b8335a544396f1f5ed8738e
                                                  • Opcode Fuzzy Hash: 0e49161b9a27eb155e0ea2c7e22d683dee310b1aad9c37f06d238c71156bed93
                                                  • Instruction Fuzzy Hash: D631A472108385AED300DB68DC44AEFBFD8EFD5255F440A5EF58482241D7A9D60C8BB3
                                                  Function 1002C6A0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 94libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1002C6B7
                                                  • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1002C6C7
                                                  • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1002C6D1
                                                  • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1002C6DD
                                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 1002C6E8
                                                  • GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 1002C6F4
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 1002C750
                                                  • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 1002C758
                                                  • CloseHandle.KERNEL32(?), ref: 1002C76A
                                                  • FreeLibrary.KERNEL32(00000000), ref: 1002C77B
                                                  • FreeLibrary.KERNEL32(?), ref: 1002C786
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryProc$Load$Free$CloseHandle
                                                  • String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$kernel32.dll$Mw
                                                  • API String ID: 2887716753-741755644
                                                  • Opcode ID: 45a204b01268b1b13edcb1f2b41aec34c2bf49e29688a1ce81d6ffc726120b56
                                                  • Instruction ID: 777ff554131cfff3992ac28be8bcb9934cc84048142c8927113d124464414cd9
                                                  • Opcode Fuzzy Hash: 45a204b01268b1b13edcb1f2b41aec34c2bf49e29688a1ce81d6ffc726120b56
                                                  • Instruction Fuzzy Hash: 312182756083056BD700DB65DC89FAFBBE8EFC8654F444A1DF54493140DB78DA448F62
                                                  Function 10008110 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 156windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #354.MFC42(?,0000000C,?,?,?,?,?,?,00000000), ref: 10008140
                                                  • #5186.MFC42 ref: 1000815A
                                                  • #665.MFC42 ref: 1000816F
                                                  • #540.MFC42(?), ref: 1000818F
                                                  • #537.MFC42(?,?), ref: 1000819E
                                                  • #4204.MFC42(?,?), ref: 100081DA
                                                  • #2915.MFC42(00000080,?,?), ref: 100081EA
                                                  • #5442.MFC42(00000000,?,00000080,?,?), ref: 10008231
                                                  • #5572.MFC42(00000000,00000000,?,00000080,?,?), ref: 10008240
                                                  • #6874.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 1000824B
                                                  • #4204.MFC42(00000000,00000000,00000000,?,00000080,?,?), ref: 10008254
                                                  • #2764.MFC42(00000000,00000000,00000000,00000000,?,00000080,?,?), ref: 10008262
                                                  • MessageBoxA.USER32(00000000,100FA624,warning,00000000), ref: 100082AA
                                                  • #1979.MFC42(00000000,?,0000000C,?,?,?,?,?,?,00000000), ref: 100082C2
                                                  • #800.MFC42 ref: 100082D0
                                                  • #800.MFC42 ref: 100082DE
                                                  • #665.MFC42 ref: 100082EF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #4204#665#800$#1979#2764#2915#354#5186#537#540#5442#5572#6874Message
                                                  • String ID: $warning
                                                  • API String ID: 2155908909-2294955047
                                                  • Opcode ID: f1ae901bacc49b44c3eb4158cf4eb01a346422ca08a816317cc0900979dd79ba
                                                  • Instruction ID: e0aaeec7e2b7d1167d156ef47cb43e21b75368a0a06e4c2e4974d39bb2d8ba31
                                                  • Opcode Fuzzy Hash: f1ae901bacc49b44c3eb4158cf4eb01a346422ca08a816317cc0900979dd79ba
                                                  • Instruction Fuzzy Hash: AF51E0751087459FD348DF64D991B9BB7E1FF94710F800A2DF99693285DB30AE08CB92
                                                  Function 1001E440 Relevance: 33.4, APIs: 5, Strings: 14, Instructions: 143filetimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000,1011EF78,00000000,0000005C), ref: 1001E484
                                                  • GetLocalTime.KERNEL32(?), ref: 1001E4CE
                                                  • sprintf.MSVCRT ref: 1001E599
                                                  • WriteFile.KERNEL32 ref: 1001E5EE
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001E5F5
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFileLibraryLoadProc$CloseCreateHandleLocalTimeWritesprintf
                                                  • String ID: $-$4$:$C:\ProgramData\Microsoft Drive\Mark.sys$M$T$TGByte\Setup$a$e$i$k$m$r
                                                  • API String ID: 694383593-1605913938
                                                  • Opcode ID: e3abec9d46ba17b0724a3c17d934a8e6752bdedbad762670d6d6ddcfec85a228
                                                  • Instruction ID: 8fcdc3d8b052a8db140029308cff98f5616bb889fbb2d53ba99603f5eb05f638
                                                  • Opcode Fuzzy Hash: e3abec9d46ba17b0724a3c17d934a8e6752bdedbad762670d6d6ddcfec85a228
                                                  • Instruction Fuzzy Hash: 58516F7110D3C09EE311CB28C844B9BBFD5ABEA308F484A5DF5D967292C6B59608CB67
                                                  Function 10009F00 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10007940: #541.MFC42(?,?,?,10097D2B,000000FF), ref: 10007960
                                                    • Part of subcall function 10007940: #540.MFC42(?,?,?,10097D2B,000000FF), ref: 10007970
                                                  • #540.MFC42(?,?,00000000,00000065), ref: 10009F4E
                                                  • #540.MFC42 ref: 10009F5F
                                                  • #540.MFC42 ref: 10009F70
                                                  • #2614.MFC42 ref: 10009F81
                                                  • #860.MFC42(*.*), ref: 10009F8F
                                                  • #3811.MFC42(?,*.*), ref: 10009FB5
                                                  • #3811.MFC42(?,?,*.*), ref: 10009FC5
                                                  • #3811.MFC42(?,?,?,*.*), ref: 10009FD5
                                                  • #3811.MFC42(?,?,?,?,*.*), ref: 10009FE5
                                                  • #3811.MFC42(?,?,?,?,?,*.*), ref: 10009FF5
                                                  • #3811.MFC42(?,?,?,?,?,?,*.*), ref: 1000A005
                                                  • #860.MFC42(?,?,?,?,?,?,?,*.*), ref: 1000A033
                                                  • #2818.MFC42(?,*%s*,?,?,?,?,?,?,?,?,*.*), ref: 1000A04A
                                                  • #860.MFC42(?,?,00000000,00000065), ref: 1000A097
                                                  • #800.MFC42 ref: 1000A0D2
                                                  • #800.MFC42 ref: 1000A0E3
                                                  • #800.MFC42 ref: 1000A0F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #3811$#540$#800#860$#2614#2818#541
                                                  • String ID: *%s*$*.*
                                                  • API String ID: 185796673-1558234275
                                                  • Opcode ID: 6abb6b1f1cb9d99256978181ee2c38739354c8b016ba86206848d68570f9c942
                                                  • Instruction ID: ee2751bb99efb5b8e8624e7515bc667b61434bbdc0d3475f74e87a486019deaf
                                                  • Opcode Fuzzy Hash: 6abb6b1f1cb9d99256978181ee2c38739354c8b016ba86206848d68570f9c942
                                                  • Instruction Fuzzy Hash: 9B5146754083858FC325CFA4C591AABFBE5FFD9700F840A2DB59983292DB74A508CB63
                                                  Function 10001310 Relevance: 33.3, APIs: 4, Strings: 15, Instructions: 85libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,SetEvent), ref: 10001329
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001332
                                                  • LoadLibraryA.KERNEL32 ref: 100013A4
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100013A7
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,ResumeThread,00000000,?,00000000,774CF550), ref: 100015B9
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015C2
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateThread,?,00000000,774CF550), ref: 100015D2
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015D5
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInOpen,?,00000000,774CF550), ref: 100015E5
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015E8
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInGetNumDevs,?,00000000,774CF550), ref: 100015F8
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 100015FB
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInPrepareHeader,?,00000000,774CF550), ref: 10001609
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000160C
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInAddBuffer,?,00000000,774CF550), ref: 1000161C
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 1000161F
                                                    • Part of subcall function 100015A0: LoadLibraryA.KERNEL32(WINMM.dll,waveInStart,?,00000000,774CF550), ref: 1000162F
                                                    • Part of subcall function 100015A0: GetProcAddress.KERNEL32(00000000), ref: 10001632
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: F$KERNEL32.dll$O$S$SetEvent$W$a$b$c$g$j$l$n$o$r
                                                  • API String ID: 2574300362-1789360232
                                                  • Opcode ID: 8681ca1b1b33f73bda7f61c2a29eb6732c7a1b4a0c27a5eda15d591767e8de8a
                                                  • Instruction ID: 6d0500b828a3b4bacedf277e9e204f21e6ad90e68e93e0fee001a8a00f1ea147
                                                  • Opcode Fuzzy Hash: 8681ca1b1b33f73bda7f61c2a29eb6732c7a1b4a0c27a5eda15d591767e8de8a
                                                  • Instruction Fuzzy Hash: 7531C26110C3C08ED301DA6D9840B9BFFD59FA6658F090A9EE5C857343C6AAD61CC7BB
                                                  Function 10007230 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 211stringmemoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000,00000001,00000001), ref: 1000724A
                                                  • LocalAlloc.KERNEL32(00000040,00000400), ref: 100072B9
                                                  • GetFileAttributesA.KERNEL32(?), ref: 100072C9
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100072F2
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 10007301
                                                  • malloc.MSVCRT ref: 1000730E
                                                  • ReadFile.KERNEL32(?,00000000,?,0000023D,00000000), ref: 10007335
                                                  • CloseHandle.KERNEL32(?), ref: 10007342
                                                  • free.MSVCRT ref: 10007378
                                                  • lstrlenA.KERNEL32(?), ref: 100073F9
                                                  • lstrlenA.KERNEL32(?), ref: 10007418
                                                  • lstrlenA.KERNEL32(?), ref: 10007427
                                                  • lstrlenA.KERNEL32(?), ref: 10007449
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10007457
                                                  • lstrlenA.KERNEL32(?), ref: 10007476
                                                  • lstrlenA.KERNEL32(?), ref: 10007493
                                                  • LocalReAlloc.KERNEL32(00000000,-00000002,00000042), ref: 100074A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$File$AllocLocal$AttributesCloseCreateFolderHandlePathReadSizeSpecialfreemalloc
                                                  • String ID: Version
                                                  • API String ID: 2101459175-1889659487
                                                  • Opcode ID: 888e3cd4f61a183a7bdcc57cae87bda2e6449d5a84a4b9969f7d5d2a1a82d378
                                                  • Instruction ID: 50175a7f71ee47e87c9703601210e5e83de23d683255c8417447b4e14873cd47
                                                  • Opcode Fuzzy Hash: 888e3cd4f61a183a7bdcc57cae87bda2e6449d5a84a4b9969f7d5d2a1a82d378
                                                  • Instruction Fuzzy Hash: 3661C5756002045BE728DB78CC99BEB3795FB88310F584B2DFE1ADB2D5DB74AA04C660
                                                  Function 100110D0 Relevance: 31.7, APIs: 21, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #2614.MFC42(00000000,?), ref: 100110F5
                                                  • #2614.MFC42(00000000,?), ref: 100110FD
                                                  • #6143.MFC42(00000000,000000FF,00000000,?), ref: 10011110
                                                  • #2614.MFC42(00000000,000000FF,00000000,?), ref: 1001111C
                                                    • Part of subcall function 10012190: #825.MFC42(?,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121D1
                                                  • #860.MFC42(?,00000000,000000FF,00000000,000000FF,00000000,?), ref: 10011137
                                                  • PathGetArgsA.SHLWAPI(00000000,?), ref: 10011172
                                                  • #860.MFC42(00000000), ref: 1001117C
                                                  • PathRemoveArgsA.SHLWAPI(00000000), ref: 10011186
                                                  • PathUnquoteSpacesA.SHLWAPI(00000000,?), ref: 10011191
                                                  • _splitpath.MSVCRT ref: 100111C5
                                                  • #860.MFC42(?,?,?,?,?), ref: 100111D6
                                                  • #860.MFC42(?,?,?,?,?,?), ref: 100111E8
                                                  • #6876.MFC42(0000002F,0000005C,?,?,?,?,?,?), ref: 100111F3
                                                  • #858.MFC42 ref: 10011237
                                                  • #800.MFC42 ref: 1001124A
                                                  • #941.MFC42(?), ref: 10011259
                                                  • #858.MFC42 ref: 1001127E
                                                  • #800.MFC42 ref: 1001128E
                                                  • #860.MFC42(?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112A0
                                                  • #860.MFC42(?,?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112BE
                                                  • #6874.MFC42(0000002E,?,?,0000002F,0000005C,?,?,?,?,?,?), ref: 100112C7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #860$#2614Path$#800#858Args$#6143#6874#6876#825#941RemoveSpacesUnquote_splitpath
                                                  • String ID:
                                                  • API String ID: 2691293456-0
                                                  • Opcode ID: 3e2eda024314cc5e32bb76d915b38d128f259786ccef139dba7872ee867caee5
                                                  • Instruction ID: c1f90ecbaa6655960492b8b6f0b929a9783f598dd6715e5503ef59e830b1600e
                                                  • Opcode Fuzzy Hash: 3e2eda024314cc5e32bb76d915b38d128f259786ccef139dba7872ee867caee5
                                                  • Instruction Fuzzy Hash: 9451C3792043459BC728CF64D951FEEB7E9EF88710F40461CF55A872C1DB70A609CB96
                                                  Function 100058B0 Relevance: 31.6, APIs: 7, Strings: 11, Instructions: 105libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1000590A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005913
                                                  • LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005923
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005926
                                                  • LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005934
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005937
                                                  • free.MSVCRT ref: 10005993
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$free
                                                  • String ID: .23$2$3$D$I$L$_RasDefaultCredentials#0$LsaClose$LsaOpenPolicy$LsaRetrievePrivateData$P$V
                                                  • API String ID: 1540231353-1695543321
                                                  • Opcode ID: 885de384c055e857efefd678615c9cae5315e7cc058022f3c828cce3297e37f7
                                                  • Instruction ID: b87623f99a44c4d79927182bb7b3290fde75b39c0de0aa94dcbdadddc74f4482
                                                  • Opcode Fuzzy Hash: 885de384c055e857efefd678615c9cae5315e7cc058022f3c828cce3297e37f7
                                                  • Instruction Fuzzy Hash: 1A3192B610C3859ED300DB68DC84AABBBD8EBD4254F44491EF988D7241E675DA0DCBA3
                                                  Function 10025950 Relevance: 31.6, APIs: 5, Strings: 13, Instructions: 99registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseDeleteFreeLocalOpenwsprintf
                                                  • String ID: D$N$U$a$a$i$m$m$o$o$r$t$u
                                                  • API String ID: 321629408-3882932831
                                                  • Opcode ID: f3ef1aa64334a6f8a8983bb0ce524996e391ea5494bb12541602a1a6a0b68d46
                                                  • Instruction ID: 9e633f2ff59cbc2020f784f894622fe3b489b46e50fdb71083fa3736798a3e6b
                                                  • Opcode Fuzzy Hash: f3ef1aa64334a6f8a8983bb0ce524996e391ea5494bb12541602a1a6a0b68d46
                                                  • Instruction Fuzzy Hash: 4941256610E3C1DED302CB689484A8BBFD56BB6608F48499DF4C857342C6A9C61CC7BB
                                                  Function 10014CA0 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 181registrylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                  • LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                  • RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,ExA,0000004D), ref: 10014DD4
                                                  • RegSetValueExA.ADVAPI32(00000000,?,00000000,0000004D,?), ref: 10014DFE
                                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 10014E2A
                                                  • RegDeleteValueA.ADVAPI32(?,?), ref: 10014E56
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Value$AddressDeleteLibraryLoadProc
                                                  • String ID: A$ADVAPI32.dll$E$ExA$K$RegCrkat$RegOpenKeyExA$x$y
                                                  • API String ID: 839562100-350676929
                                                  • Opcode ID: 4be524b758586956944c9cf266d6c6eb3a393cda1bd587d0aa69720bbd559af3
                                                  • Instruction ID: 1ed5652b7448f0d279fc009ec0fc7650b7380c8c77e483b0f181bc9d886ff7ae
                                                  • Opcode Fuzzy Hash: 4be524b758586956944c9cf266d6c6eb3a393cda1bd587d0aa69720bbd559af3
                                                  • Instruction Fuzzy Hash: 60516F71A04289AEDB00DBA8CC84FEF7BB8EB99754F054109F604AB291DB74E940CB60
                                                  Function 1000A130 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 116stringsleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #540.MFC42 ref: 1000A14F
                                                  • #540.MFC42 ref: 1000A163
                                                  • #860.MFC42(00000000), ref: 1000A1B1
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 10011005
                                                    • Part of subcall function 10010FD0: #825.MFC42(?), ref: 10011044
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 1001105A
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 10011067
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 10011074
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 10011081
                                                    • Part of subcall function 10010FD0: #801.MFC42 ref: 1001108E
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 1001109B
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 100110A8
                                                    • Part of subcall function 10010FD0: #800.MFC42 ref: 100110B8
                                                  • lstrcpyA.KERNEL32(?,?,00000000), ref: 1000A1DA
                                                  • CreateFileA.KERNEL32(?,00000008,00000001,00000000,00000003,00000000,00000000), ref: 1000A1ED
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 1000A1FD
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000A20B
                                                  • PathFindFileNameA.SHLWAPI(?), ref: 1000A216
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 1000A225
                                                  • GetFileAttributesExA.KERNEL32(?,00000000,?), ref: 1000A233
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 1000A243
                                                  • wsprintfA.USER32 ref: 1000A276
                                                  • #823.MFC42(0000022E), ref: 1000A281
                                                  • Sleep.KERNEL32(0000000A), ref: 1000A2B1
                                                  • #800.MFC42 ref: 1000A2C5
                                                  • #800.MFC42 ref: 1000A2D9
                                                    • Part of subcall function 10011EC0: #858.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,10098838,000000FF,1000A1AC), ref: 10011EF8
                                                    • Part of subcall function 10011EC0: #800.MFC42(00000000,?,00000000,00000000,?,00000000,00000000,10098838,000000FF,1000A1AC), ref: 10011F09
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #800$File$#540Timelstrcpy$#801#823#825#858#860AttributesCloseCreateFindHandleNamePathSizeSleepSystemwsprintf
                                                  • String ID: %d-%d-%d
                                                  • API String ID: 4162832437-1067691376
                                                  • Opcode ID: 4c5e51f3c3ce9325c0f13647d86720a2bd2c162aee3e428c51b27422406379ed
                                                  • Instruction ID: e65afb7b552d62d436e06514f25d1dc28ad07c56c8aeeae503be500a7d4ecf2d
                                                  • Opcode Fuzzy Hash: 4c5e51f3c3ce9325c0f13647d86720a2bd2c162aee3e428c51b27422406379ed
                                                  • Instruction Fuzzy Hash: 67419079148382ABE324DB64CC49FAFB7A8FF85700F044A2CF599972D1CB74A544CB62
                                                  Function 10021EB0 Relevance: 29.8, APIs: 10, Strings: 7, Instructions: 96libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,ReadFile), ref: 10021ECA
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021ED3
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,LocalAlloc), ref: 10021EE3
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021EE6
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,LocalFree), ref: 10021EF6
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021EF9
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,Sleep), ref: 10021F09
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021F0C
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,PeekNamedPipe), ref: 10021F1C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10021F1F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: KERNEL32.dll$LocalAlloc$LocalFree$PeekNamedPipe$ReadFile$Sleep$kernel32.dll
                                                  • API String ID: 2574300362-1218197485
                                                  • Opcode ID: 7f4df006d70baeda4ad10cd22656201abc1fbe99b512f1a21b565e5dee79b986
                                                  • Instruction ID: 839ec0c9db347561b9c4dabea88c2a263b748931e545f40543dc6910dd136d73
                                                  • Opcode Fuzzy Hash: 7f4df006d70baeda4ad10cd22656201abc1fbe99b512f1a21b565e5dee79b986
                                                  • Instruction Fuzzy Hash: 9D312DB16143496BD714EFB1CD48F9B7AE8EFC8744F00092DB684A7140DB74E905CBA6
                                                  Function 1001A220 Relevance: 28.0, APIs: 2, Strings: 14, Instructions: 49libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32 ref: 1001A292
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1001A299
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: G$I$N$S$a$f$i$kernel32.dll$m$n$o$s$v$y
                                                  • API String ID: 1646373207-3978980583
                                                  • Opcode ID: 3730fcdcbc7108c25aa30276657fce119730defac61445f6caf977d2f40e444b
                                                  • Instruction ID: bfef907bca7166945bb8c4c048d14843ea41578d74aef9e94cfa9c66aad3b8c8
                                                  • Opcode Fuzzy Hash: 3730fcdcbc7108c25aa30276657fce119730defac61445f6caf977d2f40e444b
                                                  • Instruction Fuzzy Hash: 18111C1050C3C28EE302DB6C844838FBFD55BA2644F48888DF4D84A293D2BAC69CC7B7
                                                  Function 10018A50 Relevance: 27.2, APIs: 18, Instructions: 211COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadCursorA.USER32(00000000,00000000), ref: 10018B13
                                                    • Part of subcall function 100193B0: ReleaseDC.USER32(?,?), ref: 100193CA
                                                    • Part of subcall function 100193B0: GetDesktopWindow.USER32 ref: 100193D0
                                                    • Part of subcall function 100193B0: GetDC.USER32(00000000), ref: 100193DD
                                                  • GetDesktopWindow.USER32 ref: 10018B62
                                                  • GetDC.USER32(00000000), ref: 10018B6F
                                                  • GetTickCount.KERNEL32 ref: 10018B83
                                                  • GetSystemMetrics.USER32(00000000), ref: 10018BAD
                                                  • GetSystemMetrics.USER32(00000001), ref: 10018BB4
                                                  • CreateCompatibleDC.GDI32(?), ref: 10018BD2
                                                  • CreateCompatibleDC.GDI32(?), ref: 10018BDB
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 10018BE4
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 10018BEA
                                                  • CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 10018C49
                                                  • CreateDIBSection.GDI32(?,?,00000000,00000060,00000000,00000000), ref: 10018C5A
                                                  • CreateDIBSection.GDI32(?,?,00000000,00000078,00000000,00000000), ref: 10018C6E
                                                  • SelectObject.GDI32(?,?), ref: 10018C84
                                                  • SelectObject.GDI32(?,?), ref: 10018C8E
                                                  • SelectObject.GDI32(?,?), ref: 10018C9E
                                                  • SetRect.USER32(00000034,00000000,00000000,?,?), ref: 10018CAE
                                                  • #823.MFC42(00000002), ref: 10018CBD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$Compatible$ObjectSectionSelect$DesktopMetricsSystemWindow$#823CountCursorLoadRectReleaseTick
                                                  • String ID:
                                                  • API String ID: 704209761-0
                                                  • Opcode ID: 9e4a370fffcece8fbec7a61461ab6de9897d787a6ad9132f8615e26d857d306e
                                                  • Instruction ID: b86d6b879deca8f43264229754a3adc1f6ec2cd8ec19f7890218ae82cecf81d1
                                                  • Opcode Fuzzy Hash: 9e4a370fffcece8fbec7a61461ab6de9897d787a6ad9132f8615e26d857d306e
                                                  • Instruction Fuzzy Hash: 2E81F3B4504B459FD320DF69C884A67FBE9FB88704F004A1DE59A87750DBB9F805CBA1
                                                  Function 1000BBB0 Relevance: 27.1, APIs: 18, Instructions: 110processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                  • Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                  • #4202.MFC42(00000000), ref: 1000BC03
                                                  • Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                  • #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                  • #4202.MFC42 ref: 1000BC35
                                                  • #5572.MFC42(000000FF), ref: 1000BC78
                                                  • #800.MFC42(000000FF), ref: 1000BC88
                                                  • Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                  • #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                  • #800.MFC42 ref: 1000BCC0
                                                  • OpenProcess.KERNEL32(00000001,00000000,00000128), ref: 1000BCE7
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 1000BCF1
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000BCF8
                                                  • #5572.MFC42(000000FF), ref: 1000BD04
                                                  • #5572.MFC42(000000FF,000000FF), ref: 1000BD12
                                                  • #800.MFC42(000000FF,000000FF), ref: 1000BD22
                                                  • #800.MFC42(000000FF,000000FF), ref: 1000BD39
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #5572#800$Process32$#4202NextProcess$#537CloseCreateFirstHandleOpenSnapshotTerminateToolhelp32
                                                  • String ID:
                                                  • API String ID: 1944864456-0
                                                  • Opcode ID: fdc46ebd97d5fef3205ec45985500fc953ff3a241d315039a7be263562148bc3
                                                  • Instruction ID: ee7fe5d149508e1b0384bfe3d7b9a40c8a8a5284b934431346b927ad99a76550
                                                  • Opcode Fuzzy Hash: fdc46ebd97d5fef3205ec45985500fc953ff3a241d315039a7be263562148bc3
                                                  • Instruction Fuzzy Hash: 18417F350083859FE360DF64C891EEFB7D9EF953A0F944B2DF4A9421E1EB34A908C652
                                                  Function 1001D890 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 155stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32 ref: 1001D8AD
                                                  • strrchr.MSVCRT ref: 1001D8C3
                                                  • strrchr.MSVCRT ref: 1001D904
                                                  • isdigit.MSVCRT ref: 1001D93C
                                                  • memmove.MSVCRT(?,?), ref: 1001D95D
                                                  • atoi.MSVCRT(?), ref: 1001D995
                                                  • sprintf.MSVCRT ref: 1001D9B9
                                                    • Part of subcall function 1001D480: GetFileAttributesA.KERNEL32(?,1001D9C8,?), ref: 1001D485
                                                  • sprintf.MSVCRT ref: 1001D9E3
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000), ref: 1001DA13
                                                  • CloseHandle.KERNEL32(00000000), ref: 1001DA23
                                                  • printf.MSVCRT ref: 1001DA36
                                                  • printf.MSVCRT ref: 1001DA50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$printfsprintfstrrchr$AttributesCloseCreateHandleModuleNameatoiisdigitmemmove
                                                  • String ID: At least one INI file in range 1 to 30 already exists.$C:\ProgramData\%d.ini$INI file path: %s
                                                  • API String ID: 584443958-3437802155
                                                  • Opcode ID: e9e403ce930c450e09abc2f1f7fa1b832c2c33435fe635e6026baf3bd7b7edb1
                                                  • Instruction ID: 5290e351072292b353afb0c8017d1a21791a8b433ad051274eb893ffe2ffd492
                                                  • Opcode Fuzzy Hash: e9e403ce930c450e09abc2f1f7fa1b832c2c33435fe635e6026baf3bd7b7edb1
                                                  • Instruction Fuzzy Hash: 884147761143141BE324E7789C85BEB37D8FB84324F040E29FA59D71D1EBB5E68883A2
                                                  Function 10029540 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 105filememoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 10029574
                                                  • GetCurrentProcess.KERNEL32(?), ref: 1002957F
                                                  • IsWow64Process.KERNEL32(00000000), ref: 10029586
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 100295D1
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000004,00000000,00000000), ref: 100295EB
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 100295FB
                                                  • LocalAlloc.KERNEL32(00000040,00000002), ref: 10029609
                                                  • ReadFile.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 1002961E
                                                  • LocalFree.KERNEL32(00000000), ref: 10029629
                                                  • CloseHandle.KERNEL32(00000000), ref: 10029630
                                                  • CloseHandle.KERNEL32(00000000), ref: 10029641
                                                  • LocalSize.KERNEL32(00000000), ref: 1002964B
                                                  • LocalFree.KERNEL32(00000000), ref: 1002965D
                                                  Strings
                                                  • \system32\drivers\etc\hosts, xrefs: 1002959D
                                                  • \sysnative\drivers\etc\hosts, xrefs: 10029596
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileLocal$CloseFreeHandleProcessSize$AllocAttributesCreateCurrentDirectoryReadWindowsWow64
                                                  • String ID: \sysnative\drivers\etc\hosts$\system32\drivers\etc\hosts
                                                  • API String ID: 2528494210-1011561390
                                                  • Opcode ID: 84ea9b7cf4e3984b7921a96cc070d1c21d1d3c41b7e0b34ba9bcebad10114e65
                                                  • Instruction ID: 16f5854bbd1d96b3e0e2bfa1eb0c4bf92dedb6a00c61fdda9f71565c2d37148a
                                                  • Opcode Fuzzy Hash: 84ea9b7cf4e3984b7921a96cc070d1c21d1d3c41b7e0b34ba9bcebad10114e65
                                                  • Instruction Fuzzy Hash: 8531E5352002146FE3159F78DC89FEB77A8FB88320F144B2DF75A962D0DBB499098765
                                                  Function 10020A40 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 160processpipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreatePipe.KERNEL32 ref: 10020A72
                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,08000000,00000000,00000000,00000044,?), ref: 10020AED
                                                  • CloseHandle.KERNEL32(?), ref: 10020AFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$CloseHandlePipeProcess
                                                  • String ID: D$schtasks /Query /TN MM
                                                  • API String ID: 1262542551-2635328053
                                                  • Opcode ID: a5ddbd22c73d49735de37707cb875a3f661527166062486b8fd150345d17fcb8
                                                  • Instruction ID: 0981537ea3ed7163310ddf7b13f575be98c0f6f7661eef0bbbfb29fdb67919c4
                                                  • Opcode Fuzzy Hash: a5ddbd22c73d49735de37707cb875a3f661527166062486b8fd150345d17fcb8
                                                  • Instruction Fuzzy Hash: A851DF75604351AFD721CF28C884AEFBBE6FB88744F944A1EF98987240D77599048B92
                                                  Function 10012630 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 114libraryloadersleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10012641
                                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 10012651
                                                  • wsprintfA.USER32 ref: 10012683
                                                  • CloseHandle.KERNEL32(00000000), ref: 100126D7
                                                  • Sleep.KERNEL32(00000002), ref: 100126F1
                                                  • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10012730
                                                  • GetProcAddress.KERNEL32(00000000,send), ref: 1001273C
                                                  • FreeLibrary.KERNEL32(?), ref: 10012794
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressLoadProc$CloseFreeHandleSleepwsprintf
                                                  • String ID: ID= %d $closesocket$send$ws2_32.dll$Mw
                                                  • API String ID: 1680113600-2575072272
                                                  • Opcode ID: 1e004e0467ac5dc5021d6473d21da3e49f18c438dae7c27dbc7de7b95a398db1
                                                  • Instruction ID: c6c0da67d46d13d68f268ba758adfad6d1a8e6a04e0d0a6cfae2b139a2cc5429
                                                  • Opcode Fuzzy Hash: 1e004e0467ac5dc5021d6473d21da3e49f18c438dae7c27dbc7de7b95a398db1
                                                  • Instruction Fuzzy Hash: 5941B3B9608355AFD714DF78CC88B9BB7E4FB88344F040A18F985DB281D774E9608B61
                                                  Function 1003DCA0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: getenv
                                                  • String ID: JSIMD_FORCE3DNOW$JSIMD_FORCEAVX2$JSIMD_FORCEMMX$JSIMD_FORCENONE$JSIMD_FORCESSE$JSIMD_FORCESSE2$JSIMD_NOHUFFENC
                                                  • API String ID: 498649692-40509672
                                                  • Opcode ID: 5a1275630d78b6e0bc478e23c432fe23d72843e9093515a4164cb50d5e2ec9dc
                                                  • Instruction ID: 18d7cb8a5a1671d28b24fa3e57593d38ad278de5b5033f6ee61c0587f9a67825
                                                  • Opcode Fuzzy Hash: 5a1275630d78b6e0bc478e23c432fe23d72843e9093515a4164cb50d5e2ec9dc
                                                  • Instruction Fuzzy Hash: 3E210AEBA102052FF755E2306D55B6531C1F7A13E2FDA8132E904DF2C2FA18DC469392
                                                  Function 10005A50 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 93libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 10005AA7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005AAE
                                                    • Part of subcall function 10005310: LoadLibraryA.KERNEL32(kernel32.dll,FreeLibrary,?,L$_RasDefaultCredentials#0,00000000), ref: 1000532C
                                                    • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 10005335
                                                    • Part of subcall function 10005310: LoadLibraryA.KERNEL32 ref: 10005386
                                                    • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 10005389
                                                    • Part of subcall function 10005310: LoadLibraryA.KERNEL32(?,IsValidSid), ref: 10005397
                                                    • Part of subcall function 10005310: GetProcAddress.KERNEL32(00000000), ref: 1000539A
                                                  • wsprintfA.USER32 ref: 10005B17
                                                    • Part of subcall function 100058B0: LoadLibraryA.KERNEL32 ref: 1000590A
                                                    • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005913
                                                    • Part of subcall function 100058B0: LoadLibraryA.KERNEL32(?,LsaOpenPolicy), ref: 10005923
                                                    • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005926
                                                    • Part of subcall function 100058B0: LoadLibraryA.KERNEL32(?,LsaClose), ref: 10005934
                                                    • Part of subcall function 100058B0: GetProcAddress.KERNEL32(00000000), ref: 10005937
                                                    • Part of subcall function 10005B80: LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 10005B96
                                                    • Part of subcall function 10005B80: GetProcAddress.KERNEL32(00000000), ref: 10005B9D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$wsprintf
                                                  • String ID: .$2$3$D$I$L$_RasDefaultCredentials#0$LsaFreeMemory$P$RasDialParams!%s#0$V$d
                                                  • API String ID: 2290142023-608447665
                                                  • Opcode ID: ce02f7ea02b34bf1def763f01addefc66c280edfd5cd4819a27cc4b3bb6cd685
                                                  • Instruction ID: 4c1d29f0bd828654cd513fdf21a7457cee7c04ca4083380b940b1afa8f540c18
                                                  • Opcode Fuzzy Hash: ce02f7ea02b34bf1def763f01addefc66c280edfd5cd4819a27cc4b3bb6cd685
                                                  • Instruction Fuzzy Hash: 123105751083809FE301CF68C894A6BBBE9AF99B04F44495CF5C987342D775E90CCBA6
                                                  Function 10001000 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 91libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 1000105A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001061
                                                  • #823.MFC42(000003E8), ref: 1000109D
                                                  • #823.MFC42(00000020,000003E8), ref: 100010A7
                                                  • #823.MFC42(000003E8,00000020,000003E8), ref: 100010B2
                                                  • #823.MFC42(00000020,000003E8,00000020,000003E8), ref: 100010BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$AddressLibraryLoadProc
                                                  • String ID: A$C$E$KERNEL32.dll$a$n$r$v
                                                  • API String ID: 4155842574-2549505875
                                                  • Opcode ID: a16daf83469977fc098d6e9d6d2204c32631686849e5759c66df8540c12cc638
                                                  • Instruction ID: d4cdf86d6ce510d6661d11d19ce4d48ee2c343f99e241af99f0dca74e59b5833
                                                  • Opcode Fuzzy Hash: a16daf83469977fc098d6e9d6d2204c32631686849e5759c66df8540c12cc638
                                                  • Instruction Fuzzy Hash: 9E317CB04087819ED310CF69D844647FBE8FF59308F44495EE1C987712D7B9E648CBAA
                                                  Function 10027180 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 65sleepstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 10027190
                                                  • lstrcatA.KERNEL32(?,\termsrv.dll), ref: 100271A0
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                    • Part of subcall function 100270F0: CreateToolhelp32Snapshot.KERNEL32 ref: 10027105
                                                    • Part of subcall function 100270F0: Process32First.KERNEL32(00000000,?), ref: 10027112
                                                    • Part of subcall function 100270F0: Process32Next.KERNEL32(00000000,?), ref: 10027150
                                                    • Part of subcall function 100270F0: CloseHandle.KERNEL32(00000000,00000000,?), ref: 1002715B
                                                    • Part of subcall function 1001B690: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1001B6D2
                                                    • Part of subcall function 1001B690: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6EA
                                                    • Part of subcall function 1001B690: GetLastError.KERNEL32(?,00000000,?,00000010,00000000,00000000), ref: 1001B6F0
                                                    • Part of subcall function 1001B690: CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,00000000,00000000), ref: 1001B6FF
                                                    • Part of subcall function 1001B690: CloseHandle.KERNEL32(?,?,00000000,?,00000010,00000000,00000000), ref: 1001B710
                                                  • GetProcessId.KERNEL32(csrss.exe,?,?,?,00000065,?,?,\termsrv.dll), ref: 100271E9
                                                  • AbortSystemShutdownA.ADVAPI32(00000000), ref: 100271F9
                                                  • GetProcessId.KERNEL32(drwtsn32.exe,?,774D0F00,?,?,?,00000065,?,?,\termsrv.dll), ref: 10027212
                                                  • EnumWindows.USER32(10026EF0,00000000), ref: 10027222
                                                  • EnumWindows.USER32(10026EF0,00000000), ref: 1002722A
                                                  • Sleep.KERNEL32(0000000A,?,774D0F00,?,?,?,00000065,?,?,\termsrv.dll), ref: 1002722E
                                                  • AbortSystemShutdownA.ADVAPI32(00000000), ref: 10027232
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleSystem$AbortEnumProcess32ShutdownTokenWindows$AdjustCreateCurrentDirectoryErrorFirstLastLookupNextOpenPrivilegePrivilegesSleepSnapshotToolhelp32Valuelstrcat
                                                  • String ID: SeDebugPrivilege$SeShutdownPrivilege$\termsrv.dll$csrss.exe$drwtsn32.exe
                                                  • API String ID: 1044539573-3630850118
                                                  • Opcode ID: a94a4541c7d467ac15f444e95b88872a9def004c8ebe8382ccc0f93d45d569c7
                                                  • Instruction ID: 50040e2b1a04e9d4e4e98a45fe226f172d26e1da205396bbac29b047f601241e
                                                  • Opcode Fuzzy Hash: a94a4541c7d467ac15f444e95b88872a9def004c8ebe8382ccc0f93d45d569c7
                                                  • Instruction Fuzzy Hash: AF11E97D600719B7F610E7B5AC85FDA3658FB54784F840414F708990D2EB75E8448676
                                                  Function 100064C0 Relevance: 22.9, APIs: 15, Instructions: 369COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #823.MFC42(0000001C,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006540
                                                  • #825.MFC42(00000000,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006583
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006597
                                                  • #825.MFC42(00000000,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100065DD
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100065F1
                                                  • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006637
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 1000664B
                                                  • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 10006691
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066A5
                                                  • #825.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066EB
                                                  • #823.MFC42(?,00000000,?,00000000,00000000,?,10006386,?,?,00000000,?,?,00000000,?,?), ref: 100066FF
                                                  • #825.MFC42(?,?,?), ref: 10006758
                                                  • #823.MFC42(?,?,?), ref: 1000676C
                                                  • #825.MFC42(00000000,?,?), ref: 100067B1
                                                  • #823.MFC42(?,?,?), ref: 100067C5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$#825
                                                  • String ID:
                                                  • API String ID: 2704444950-0
                                                  • Opcode ID: 7bec8dbf16562bad003da3af1f42c1a03097033c04e808ff0bba191b4fb42cb9
                                                  • Instruction ID: 60a5b56d8eae0c97300d1150149c5d3cd1187e5e90251027326246755cc62438
                                                  • Opcode Fuzzy Hash: 7bec8dbf16562bad003da3af1f42c1a03097033c04e808ff0bba191b4fb42cb9
                                                  • Instruction Fuzzy Hash: 0BC1D0B57046054BEB18CE38D89292B77D2EF982A0B65863CFD1A877C5DF71ED058780
                                                  Function 10006400 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 74libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,MultiByteToWideChar,00000000,?,0000005C,?,1000620E,00000000), ref: 10006416
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1000641F
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,0000005C,?,1000620E,00000000), ref: 1000642F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10006432
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA,?,0000005C,?,1000620E,00000000), ref: 10006442
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10006445
                                                  • #823.MFC42(00000002,?,0000005C,?,1000620E,00000000), ref: 10006461
                                                  • #823.MFC42(00000002,00000002,?,0000005C,?,1000620E,00000000), ref: 10006469
                                                  • #825.MFC42(00000000,?,0000005C,?,1000620E,00000000), ref: 10006495
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$#823$#825
                                                  • String ID: KERNEL32.dll$MultiByteToWideChar$WideCharToMultiByte$lstrlenA
                                                  • API String ID: 1309867234-4059950253
                                                  • Opcode ID: 7af2d8f90b723ac55f2e61bf25ce58a6540ace20f9de91bf3ac2f31209b68641
                                                  • Instruction ID: 24126899a78552c85fb018411479147e3e3da7a595a1e87d81a390b39e73e2c3
                                                  • Opcode Fuzzy Hash: 7af2d8f90b723ac55f2e61bf25ce58a6540ace20f9de91bf3ac2f31209b68641
                                                  • Instruction Fuzzy Hash: 651106B694131837DA10A7B56C49F9B3E9CDF967B1F15052AFB00B7181D964A804C6F2
                                                  Function 1002BCB0 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 74libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(?,?,?,?,00000010), ref: 1002BD4B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BD52
                                                    • Part of subcall function 1002BFA0: LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,1002BD69,00000000), ref: 1002BFBB
                                                    • Part of subcall function 1002BFA0: GetProcAddress.KERNEL32(00000000), ref: 1002BFC4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: .$2$3$K$L$N$R$S$d$n$v
                                                  • API String ID: 2574300362-924470386
                                                  • Opcode ID: 66c01a92ff87701a3e74a371ce5ffd8452510b3b243cd9580b425eb6a63e840b
                                                  • Instruction ID: 39105760561fa5605379ae29a799da026ab5923eed6d66789845782971b3bb5b
                                                  • Opcode Fuzzy Hash: 66c01a92ff87701a3e74a371ce5ffd8452510b3b243cd9580b425eb6a63e840b
                                                  • Instruction Fuzzy Hash: 65318075D092CCDEDB01CBE8D884ADEFFB8AF2A240F084159E54577382C2794608CBB6
                                                  Function 1002BEF0 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 64libraryloaderthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,GetCurrentThreadId,774D0BD0,00000000,?,774CF550), ref: 1002BF0A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BF13
                                                  • LoadLibraryA.KERNEL32(USER32.dll,GetThreadDesktop,?,774CF550), ref: 1002BF21
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002BF24
                                                  • GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 1002BF48
                                                  • SetThreadDesktop.USER32(?,?,774CF550), ref: 1002BF5E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$DesktopInformationObjectThreadUser
                                                  • String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$KERNEL32.dll$USER32.dll
                                                  • API String ID: 2607951617-608436089
                                                  • Opcode ID: 4ca97edb08d08c8545eec7d90874ceaa4309b21496a13353755af99cbba06359
                                                  • Instruction ID: b48193d143002e3d99c285d9602afcaaf8172402a74e6a18c72f8af8eea6e40c
                                                  • Opcode Fuzzy Hash: 4ca97edb08d08c8545eec7d90874ceaa4309b21496a13353755af99cbba06359
                                                  • Instruction Fuzzy Hash: 6101B5B670025C2BE610B7B9AC88FDB778CEBC0761F854532FB04D2141EA6EB84496B4
                                                  Function 10017D20 Relevance: 21.2, APIs: 14, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadCursorA.USER32(00000000,00000000), ref: 10017DFF
                                                    • Part of subcall function 10018A20: ReleaseDC.USER32(00000000,?), ref: 10018A38
                                                    • Part of subcall function 10018A20: GetDC.USER32(00000000), ref: 10018A40
                                                  • GetDC.USER32(00000000), ref: 10017E52
                                                  • QueryPerformanceFrequency.KERNEL32(00000030), ref: 10017E5F
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10017E81
                                                  • GetDeviceCaps.GDI32(?,00000076), ref: 10017E9E
                                                  • GetDeviceCaps.GDI32(?,00000075), ref: 10017EA9
                                                  • CreateCompatibleDC.GDI32(?), ref: 10017EC7
                                                  • CreateCompatibleDC.GDI32(?), ref: 10017ED0
                                                  • CreateCompatibleDC.GDI32(?), ref: 10017ED9
                                                  • CreateDIBSection.GDI32(?,?,00000000,00000058,00000000,00000000), ref: 10017F26
                                                  • CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 10017F37
                                                  • SelectObject.GDI32(?,?), ref: 10017F4A
                                                  • SelectObject.GDI32(?,?), ref: 10017F54
                                                  • #823.MFC42(?,?,?,?,00000000), ref: 10017F5F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$Compatible$CapsDeviceObjectSectionSelect$#823CursorFrequencyLoadPerformanceQueryReleaseUnothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID:
                                                  • API String ID: 1396098503-0
                                                  • Opcode ID: b320cf3e43d5f69ce13cdc363c04ae0b3c7bef57714eee9ac65f9eae9de58433
                                                  • Instruction ID: f5b09e1389df2f3a8d9c5176518bf7bbc65b6c3c0f8f13021ea446bacafcd8a0
                                                  • Opcode Fuzzy Hash: b320cf3e43d5f69ce13cdc363c04ae0b3c7bef57714eee9ac65f9eae9de58433
                                                  • Instruction Fuzzy Hash: 2981F2B5504B459FD320CF29C884A6BFBF9FB88704F008A1DE58A87750DB79F8058B91
                                                  Function 100179C0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 176librarykeyboardloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1002C5D0: GetCurrentThreadId.KERNEL32 ref: 1002C5E2
                                                    • Part of subcall function 1002C5D0: GetThreadDesktop.USER32(00000000), ref: 1002C5E9
                                                    • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C61C
                                                    • Part of subcall function 1002C5D0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C627
                                                    • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C64E
                                                    • Part of subcall function 1002C5D0: lstrcmpiA.KERNEL32(?,?), ref: 1002C65D
                                                    • Part of subcall function 1002C5D0: SetThreadDesktop.USER32(00000000), ref: 1002C668
                                                    • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C680
                                                    • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C683
                                                  • SetCursorPos.USER32(?,?,?,?,?,?,1001751F,?,?,00000000), ref: 10017A28
                                                  • WindowFromPoint.USER32(?,?,?,?,?,?,1001751F,?,?,00000000), ref: 10017A30
                                                  • SetCapture.USER32(00000000,?,?,?,?,1001751F,?,?,00000000), ref: 10017A37
                                                  • LoadLibraryA.KERNEL32(USER32.dll,keybd_event,?,?,?,?,1001751F,?,?,00000000), ref: 10017A4D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10017A50
                                                  • LoadLibraryA.KERNEL32(USER32.dll,mouse_event,?,?,?,?,1001751F,?,?,00000000), ref: 10017A5E
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10017A61
                                                  • MapVirtualKeyA.USER32(?,00000000), ref: 10017A9A
                                                  • MapVirtualKeyA.USER32(?,00000000), ref: 10017AB4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Desktop$Thread$AddressCloseInformationLibraryLoadObjectProcUserVirtual$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpi
                                                  • String ID: USER32.dll$keybd_event$mouse_event
                                                  • API String ID: 1441364844-718119381
                                                  • Opcode ID: 80c9abde4b12d50efe92c4b3546a67d4ac8343425a33d2bf32e8b82d811461be
                                                  • Instruction ID: 2451a04a9bde1e7bfa8f86e37c24795d67c21f324d001409fd558fbe77f3f18c
                                                  • Opcode Fuzzy Hash: 80c9abde4b12d50efe92c4b3546a67d4ac8343425a33d2bf32e8b82d811461be
                                                  • Instruction Fuzzy Hash: AD515B31BC471576F234CA648C87F4A7AA4FB85F90F708611B708BE1C4D6F0F980869A
                                                  Function 10016D20 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 176librarykeyboardloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1002C5D0: GetCurrentThreadId.KERNEL32 ref: 1002C5E2
                                                    • Part of subcall function 1002C5D0: GetThreadDesktop.USER32(00000000), ref: 1002C5E9
                                                    • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C61C
                                                    • Part of subcall function 1002C5D0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C627
                                                    • Part of subcall function 1002C5D0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C64E
                                                    • Part of subcall function 1002C5D0: lstrcmpiA.KERNEL32(?,?), ref: 1002C65D
                                                    • Part of subcall function 1002C5D0: SetThreadDesktop.USER32(00000000), ref: 1002C668
                                                    • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C680
                                                    • Part of subcall function 1002C5D0: CloseDesktop.USER32(00000000), ref: 1002C683
                                                  • SetCursorPos.USER32(?,?,?,?,?,?,1001697A,?,?), ref: 10016D88
                                                  • WindowFromPoint.USER32(?,?,?,?,?,?,1001697A,?,?), ref: 10016D90
                                                  • SetCapture.USER32(00000000,?,?,?,?,1001697A,?,?), ref: 10016D97
                                                  • LoadLibraryA.KERNEL32(USER32.dll,keybd_event,?,?,?,?,1001697A,?,?), ref: 10016DAD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10016DB0
                                                  • LoadLibraryA.KERNEL32(USER32.dll,mouse_event,?,?,?,?,1001697A,?,?), ref: 10016DBE
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10016DC1
                                                  • MapVirtualKeyA.USER32(?,00000000), ref: 10016DFA
                                                  • MapVirtualKeyA.USER32(?,00000000), ref: 10016E14
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Desktop$Thread$AddressCloseInformationLibraryLoadObjectProcUserVirtual$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpi
                                                  • String ID: USER32.dll$keybd_event$mouse_event
                                                  • API String ID: 1441364844-718119381
                                                  • Opcode ID: 08bcb3d6ed205dffc589dff17d9e7e4658589abb0dcfe27e4ec1cfb246dd7a1a
                                                  • Instruction ID: 9bdd7654e0fc0f02893d67ce9a41b80379b50915a00eb774664f2f349eb60d67
                                                  • Opcode Fuzzy Hash: 08bcb3d6ed205dffc589dff17d9e7e4658589abb0dcfe27e4ec1cfb246dd7a1a
                                                  • Instruction Fuzzy Hash: C3515E3ABC0729B7F630DA64CD47F5A6A94EB49F90F314615B704BE1C1D5F0F8808A99
                                                  Function 10002CD0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 144librarymemoryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 100109B0: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DC8E,?,100FA3E4,?), ref: 100109D0
                                                    • Part of subcall function 100109B0: GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                  • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002D12
                                                  • LoadLibraryA.KERNEL32(CHROMEUSERINFO.dll,?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002D22
                                                  • GetProcAddress.KERNEL32(00000000,fnGetChromeUserInfo), ref: 10002D3E
                                                  • GetProcAddress.KERNEL32(00000000,fnDeleteChromeUserInfo), ref: 10002D4C
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042,?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002E53
                                                  • LocalSize.KERNEL32(00000000), ref: 10002E5C
                                                  • LocalFree.KERNEL32(00000000,?,00000042,?,?,?,?,?,?,?,?,?,?,?,10097C58,000000FF), ref: 10002E6C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$AddressProc$AllocLibraryLoad$FreeSize
                                                  • String ID: CHROMEUSERINFO.dll$CHROME_NO_DATA$CHROME_UNKNOW$fnDeleteChromeUserInfo$fnGetChromeUserInfo
                                                  • API String ID: 1379963177-1650604611
                                                  • Opcode ID: 40e86dac1dae070f7c70b1330ff765b42097cb6cefb2778c80bb74e439fd16d3
                                                  • Instruction ID: 13833c0b53df42460e1e6170d0b02e4772bea98369ed9403c64bee1aaa194fbe
                                                  • Opcode Fuzzy Hash: 40e86dac1dae070f7c70b1330ff765b42097cb6cefb2778c80bb74e439fd16d3
                                                  • Instruction Fuzzy Hash: DF4123716002585FD728CF288C45AAF7BD5FB8A7A0F580729F90AE7780CB79DE018791
                                                  Function 1000F020 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(360se6.exe), ref: 1000F047
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F05F
                                                  • #540.MFC42 ref: 1000F069
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F09B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0B3
                                                  • #800.MFC42(0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0C4
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\360se6\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F0CE
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000F0ED
                                                  • #800.MFC42 ref: 1000F101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: 360se6.exe$C:\Users\$\AppData\Roaming\360se6\User Data\Default
                                                  • API String ID: 1983172782-1244823433
                                                  • Opcode ID: 18c021ef16c137c05664ca6647b8b755146eec05a8d0a1cea44dfa32c53753fd
                                                  • Instruction ID: e9c89288d271108546bef61020c2a1418b1faed9b041f6e65e1a09c7bde258f6
                                                  • Opcode Fuzzy Hash: 18c021ef16c137c05664ca6647b8b755146eec05a8d0a1cea44dfa32c53753fd
                                                  • Instruction Fuzzy Hash: F6216579408788ABE364DB54D942FDFB7D4EB84710F40891CF29D821D6EB74A504CBA3
                                                  Function 1000F120 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(QQBrowser.exe), ref: 1000F147
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F15F
                                                  • #540.MFC42 ref: 1000F169
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F19B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1B3
                                                  • #800.MFC42(0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1C4
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000F1CE
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000F1ED
                                                  • #800.MFC42 ref: 1000F201
                                                  Strings
                                                  • QQBrowser.exe, xrefs: 1000F142
                                                  • C:\Users\, xrefs: 1000F195
                                                  • \AppData\Local\Tencent\QQBrowser\User Data\Default, xrefs: 1000F1A0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: C:\Users\$QQBrowser.exe$\AppData\Local\Tencent\QQBrowser\User Data\Default
                                                  • API String ID: 1983172782-2662846904
                                                  • Opcode ID: d929c9d7e6e2ddc006b7321b863d3d1fcb39d8f080301b7359882cf3280fcb7a
                                                  • Instruction ID: b508ae645e237c7229c1d69a2e2dd707763a9c57ac4a9714039cccd54a056aaa
                                                  • Opcode Fuzzy Hash: d929c9d7e6e2ddc006b7321b863d3d1fcb39d8f080301b7359882cf3280fcb7a
                                                  • Instruction Fuzzy Hash: C9216579408788ABE254DB54D942FDEB7D4EF84710F40891CF19D821D6EB74A504CBA3
                                                  Function 1000F220 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(SogouExplorer.exe), ref: 1000F247
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000F25F
                                                  • #540.MFC42 ref: 1000F269
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000F29B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2B3
                                                  • #800.MFC42(0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2C4
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\SogouExplorer,00000002,C:\Users\,0000005C), ref: 1000F2CE
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000F2ED
                                                  • #800.MFC42 ref: 1000F301
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: C:\Users\$SogouExplorer.exe$\AppData\Roaming\SogouExplorer
                                                  • API String ID: 1983172782-2055279553
                                                  • Opcode ID: 51939aa5053ae2bff0236cf59cf2096a6ea1610dc964246ad680e0cd77336b3f
                                                  • Instruction ID: 7d35013b61d80cf1e9c1dfe39d441eecd520366740e00716b73819efa327f1aa
                                                  • Opcode Fuzzy Hash: 51939aa5053ae2bff0236cf59cf2096a6ea1610dc964246ad680e0cd77336b3f
                                                  • Instruction Fuzzy Hash: F6218779408788ABE354DB54DD42FDBB7D4EB84700F40891CF19D821D6EB74A504CBA3
                                                  Function 1000EDE0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(chrome.exe), ref: 1000EE07
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000EE1F
                                                  • #540.MFC42 ref: 1000EE29
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000EE5B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE73
                                                  • #800.MFC42(0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE84
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Local\Google\Chrome\User Data\Default,00000002,C:\Users\,0000005C), ref: 1000EE8E
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000EEAD
                                                  • #800.MFC42 ref: 1000EEC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
                                                  • API String ID: 1983172782-2559963756
                                                  • Opcode ID: 523ad62f1040f6ae26f22e01937fcab8022a47d8d2344defdecc7f28f5186ab4
                                                  • Instruction ID: 8c6a82a66adb9de8b1ca2427e2dad7b5aad7125b1f470a43c445caaf05036487
                                                  • Opcode Fuzzy Hash: 523ad62f1040f6ae26f22e01937fcab8022a47d8d2344defdecc7f28f5186ab4
                                                  • Instruction Fuzzy Hash: 1D216579408784ABE254DB54DD46FDEB7D5EB84700F40891CF19D821D6EB74A504CBA3
                                                  Function 1000EEE0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(Skype.exe), ref: 1000EF07
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000EF1F
                                                  • #540.MFC42 ref: 1000EF29
                                                  • #926.MFC42(00000002,C:\Users\,0000005C), ref: 1000EF5B
                                                  • #924.MFC42(0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF73
                                                  • #800.MFC42(0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF84
                                                  • Sleep.KERNEL32(000003E8,0000005C,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,00000002,C:\Users\,0000005C), ref: 1000EF8E
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000BD7E
                                                    • Part of subcall function 1000BD50: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 1000BDA0
                                                    • Part of subcall function 1000BD50: ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000001), ref: 1000BDC3
                                                    • Part of subcall function 1000BD50: ?_Xran@std@@YAXXZ.MSVCP60(?,00000001), ref: 1000BDDB
                                                    • Part of subcall function 1000BD50: ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000001), ref: 1000BDE5
                                                    • Part of subcall function 1000BD50: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,0000005C,?,00000001), ref: 1000BDFD
                                                    • Part of subcall function 1000BD50: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000001,*.*,?,00000001), ref: 1000BE12
                                                    • Part of subcall function 1000BD50: FindFirstFileA.KERNEL32(?,?), ref: 1000BE2C
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE3A
                                                    • Part of subcall function 1000BD50: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000BE52
                                                  • #800.MFC42 ref: 1000EFAD
                                                  • #800.MFC42 ref: 1000EFC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$#800$Process32Tidy@?$basic_string@$#4202#537#5572FirstNext$#540#924#926?append@?$basic_string@CreateD@2@@0@Eos@?$basic_string@FileFindFolderFreeze@?$basic_string@Grow@?$basic_string@Hstd@@PathSleepSnapshotSpecialToolhelp32V10@V12@V?$basic_string@Xran@std@@
                                                  • String ID: C:\Users\$Skype.exe$\AppData\Roaming\Microsoft\Skype for Desktop
                                                  • API String ID: 1983172782-3499480952
                                                  • Opcode ID: 506967efb7cbd1429561d61a16553b74a6b62e0af240bad732d850845aeece2a
                                                  • Instruction ID: c2392c766fec2091ac0e11c8610587f68406746635502bb5fb4463dc87aa9c62
                                                  • Opcode Fuzzy Hash: 506967efb7cbd1429561d61a16553b74a6b62e0af240bad732d850845aeece2a
                                                  • Instruction Fuzzy Hash: 0B216579408788ABE254DB54D942FDEB7D4EB84700F40891CF19D821D6EB74A504CBA3
                                                  Function 10018D40 Relevance: 19.6, APIs: 13, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Delete$#825$Object$CursorDestroyRelease
                                                  • String ID:
                                                  • API String ID: 719826280-0
                                                  • Opcode ID: 2d077890a14f4d6575af65d40687cd70d6d7c34bba1e1dc241cd46e0adb5d077
                                                  • Instruction ID: 1057cd0b5374723fdd9eac028f866a029913c2518dbccd866ad41eb7240ccfe0
                                                  • Opcode Fuzzy Hash: 2d077890a14f4d6575af65d40687cd70d6d7c34bba1e1dc241cd46e0adb5d077
                                                  • Instruction Fuzzy Hash: 83114FBA600B149BD620EBB9DC80D57F3EDFF98210B154D1DFA8A87750DAB5F8448B60
                                                  Function 100074F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 166filememoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • malloc.MSVCRT ref: 10007519
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 10007541
                                                  • free.MSVCRT ref: 1000759F
                                                  • GetFileAttributesA.KERNEL32(?), ref: 100075AD
                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 100075D4
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 100075E3
                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 100075F9
                                                  • ReadFile.KERNEL32(?,00000000,?,0000035D,00000000), ref: 1000761D
                                                  • CloseHandle.KERNEL32(?), ref: 1000762A
                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 1000766A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Virtual$AllocAttributesCloseCreateFolderFreeHandlePathReadSizeSpecialfreemalloc
                                                  • String ID: Main
                                                  • API String ID: 2820283417-521822810
                                                  • Opcode ID: d96795f43f274779fe40dde3b56b3a16bfa6122aa87b00316b9a1b81143df7fd
                                                  • Instruction ID: 6f0d9e7d78dd571c703ddbf1913cd77a9e21db67d46627b5b307b1784e6b32fb
                                                  • Opcode Fuzzy Hash: d96795f43f274779fe40dde3b56b3a16bfa6122aa87b00316b9a1b81143df7fd
                                                  • Instruction Fuzzy Hash: C051E8756002005BE718DB388C99FA73699FB84720F284739FE1ADB2D5DE79A904C764
                                                  Function 1001A8F0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 94stringfilenetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,774D23A0), ref: 1001A98A
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000,774D23A0), ref: 1001A9C4
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,774D23A0), ref: 1001A9D4
                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,00000000,774D23A0), ref: 1001A9E4
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,774D23A0), ref: 1001A9EB
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,774D23A0), ref: 1001A9F8
                                                  • gethostname.WS2_32(?,?), ref: 1001AA00
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,774D23A0), ref: 1001AA07
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Filelstrlen$#823$AddressCloseCreateHandleLibraryLoadProcReadSizegethostname
                                                  • String ID: C:\ProgramData\Microsoft Drive\Host.sys$Host$TGByte\Setup
                                                  • API String ID: 1105965372-3579490797
                                                  • Opcode ID: 26600dc6ced3552f7cb32c9401563bb8fc38f089117c6e8a29bd790fcd37870b
                                                  • Instruction ID: 1aca79b18ebe77987ab2057df5d6393e57785d9c54ea4be51680de8087f9014e
                                                  • Opcode Fuzzy Hash: 26600dc6ced3552f7cb32c9401563bb8fc38f089117c6e8a29bd790fcd37870b
                                                  • Instruction Fuzzy Hash: B331D675604754AFE320CB28CC90FEB7799FB89340F040929FA49A7290DA316945CF62
                                                  Function 10026D20 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69stringmemorylibraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wsprintfA.USER32 ref: 10026D35
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10026D4B
                                                  • lstrcatA.KERNEL32(?,?), ref: 10026D5E
                                                  • LocalAlloc.KERNEL32(00000040,00000400), ref: 10026D6B
                                                  • GetFileAttributesA.KERNEL32(?), ref: 10026D7B
                                                  • LoadLibraryA.KERNEL32(?), ref: 10026D8E
                                                  • lstrlenA.KERNEL32(?,?,?,774D0F00), ref: 10026DA9
                                                  • lstrlenA.KERNEL32(?,?,774D0F00), ref: 10026DC9
                                                  • LocalReAlloc.KERNEL32(00000000,00000003,00000042,?,774D0F00), ref: 10026DD3
                                                  • LocalFree.KERNEL32(00000000,?,774D0F00), ref: 10026DE7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$Alloclstrlen$AttributesDirectoryFileFreeLibraryLoadSystemlstrcatwsprintf
                                                  • String ID: \termsrv_t.dll
                                                  • API String ID: 2807520882-1337493607
                                                  • Opcode ID: 9b8ca8072248d0e20e16c60f5b49baa45d8ae8c0336e69d54e3649e4bb1bfa1c
                                                  • Instruction ID: fa0bbe7b93f181b0bb95623a7e958535140a9e245ac58fce590935738164f694
                                                  • Opcode Fuzzy Hash: 9b8ca8072248d0e20e16c60f5b49baa45d8ae8c0336e69d54e3649e4bb1bfa1c
                                                  • Instruction Fuzzy Hash: 8A21D176100306AFD724DF60DC88EEB77A8FB85310F444A18FA4A97191EB70E509CB62
                                                  Function 100232E0 Relevance: 18.2, APIs: 12, Instructions: 200networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: inet_ntoa$htons$inet_addr
                                                  • String ID:
                                                  • API String ID: 2325850693-0
                                                  • Opcode ID: feff4991006adee928c6db238b0ff46cf5f451b3ea962ecf4bc5810bc883adaf
                                                  • Instruction ID: 0f8a403a37a04198fb3543f642c4371480fab305af7d543d8c9d6285c61f0e9b
                                                  • Opcode Fuzzy Hash: feff4991006adee928c6db238b0ff46cf5f451b3ea962ecf4bc5810bc883adaf
                                                  • Instruction Fuzzy Hash: 6051493A7046544BCB18DF38B8901AFB7D1FF89260B9985AEFD8AD7341CA21ED01C764
                                                  Function 1000BA50 Relevance: 18.1, APIs: 12, Instructions: 75processstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BA5E
                                                  • Process32First.KERNEL32(00000000,?), ref: 1000BA73
                                                  • GetLastError.KERNEL32(00000000,?), ref: 1000BA80
                                                  • _wcsupr.MSVCRT ref: 1000BA9D
                                                  • _wcsupr.MSVCRT ref: 1000BAA6
                                                  • wcsstr.MSVCRT ref: 1000BAAA
                                                  • Process32Next.KERNEL32(00000000,?), ref: 1000BACD
                                                  • _strlwr.MSVCRT ref: 1000BAE7
                                                  • _strlwr.MSVCRT ref: 1000BAEA
                                                  • strstr.MSVCRT ref: 1000BAF2
                                                  • Process32Next.KERNEL32(00000000,?), ref: 1000BB01
                                                  • CloseHandle.KERNEL32(00000000,00000000,?), ref: 1000BB0B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$Next_strlwr_wcsupr$CloseCreateErrorFirstHandleLastSnapshotToolhelp32strstrwcsstr
                                                  • String ID:
                                                  • API String ID: 146143966-0
                                                  • Opcode ID: 479f2f72a704a3b5c2289d2de251190d7c82cc186dc092ac8778594daa37f946
                                                  • Instruction ID: 58f6ba2257750e6ab45c168541484ccfaec70cf465e469f9539c8ec9d4fa11c7
                                                  • Opcode Fuzzy Hash: 479f2f72a704a3b5c2289d2de251190d7c82cc186dc092ac8778594daa37f946
                                                  • Instruction Fuzzy Hash: 6D11B6762003156BF350EBB59C85EEB7B9CEFC1390F850929FD05C2145EB39E90886B1
                                                  Function 10025C20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102registrysleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NetUserDel.NETAPI32(00000000,00000000), ref: 10025C48
                                                  • #825.MFC42(00000000,00000000,00000000), ref: 10025C50
                                                  • wsprintfA.USER32 ref: 10025C98
                                                  • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 10025CB8
                                                  • Sleep.KERNEL32(00000032), ref: 10025CC4
                                                  • RegQueryValueExA.ADVAPI32 ref: 10025CF1
                                                  • RegCloseKey.ADVAPI32(1012B064), ref: 10025CFC
                                                  • wsprintfA.USER32 ref: 10025D11
                                                    • Part of subcall function 10025700: LocalSize.KERNEL32(00000000), ref: 10025710
                                                    • Part of subcall function 10025700: LocalFree.KERNEL32(00000000,?,10025C00,00000001,?,00000000,00000001,?,?), ref: 10025720
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Localwsprintf$#825CloseFreeOpenQuerySizeSleepUserValue
                                                  • String ID: %08X$SAM\SAM\Domains\Account\Users\Names\%s
                                                  • API String ID: 2119749478-1111274145
                                                  • Opcode ID: ccf2d6fb0ac3cdee8a8de9660901a4e9944306a3e8ce3f68a381d0378279b73d
                                                  • Instruction ID: f1197015b66045a9dc8fb875b8669a05aadff659485f3df3c3f26b44c52e4f96
                                                  • Opcode Fuzzy Hash: ccf2d6fb0ac3cdee8a8de9660901a4e9944306a3e8ce3f68a381d0378279b73d
                                                  • Instruction Fuzzy Hash: B13128752043056FE210DB24EC85FAB77DCEBC5255F80092CF94692282FA36ED0C8767
                                                  Function 1000B620 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000B634
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000B6A9
                                                  • GetFileSize.KERNEL32 ref: 1000B6BC
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1000B6D0
                                                  • lstrlenA.KERNEL32(?), ref: 1000B6DE
                                                  • #823.MFC42(00000000), ref: 1000B6E7
                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 1000B70D
                                                  • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 1000B716
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000B71D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$lstrlen$#823CloseCreateDirectoryHandlePointerSizeSystemWrite
                                                  • String ID: .key
                                                  • API String ID: 2856261289-343438762
                                                  • Opcode ID: 3818ea17cc2e59f9f6ab64f97ab2d81d5e532922a39f58c257a4f2331ab7a23d
                                                  • Instruction ID: bd8e3325d0db8e7463eafbc11f0d66b84d6b493b70728e4679981c1757bf8fad
                                                  • Opcode Fuzzy Hash: 3818ea17cc2e59f9f6ab64f97ab2d81d5e532922a39f58c257a4f2331ab7a23d
                                                  • Instruction Fuzzy Hash: A0215C752006042BF724DA789C8AFAB3A89FB84760F580739FE57D71D1DEA49D088760
                                                  Function 100014B0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100014D2
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100014E5
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100014F8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: WINMM.dll$waveOutGetNumDevs$waveOutOpen$waveOutPrepareHeader
                                                  • API String ID: 2574300362-4065288365
                                                  • Opcode ID: c1eceda1addd48c4943001bcefb37505a5823e870f1f8cdf6cdf7baea139bf02
                                                  • Instruction ID: 97c40741ceac41b55f427a3e19617a04594bb35f0b993fe0b131869bec9d13a6
                                                  • Opcode Fuzzy Hash: c1eceda1addd48c4943001bcefb37505a5823e870f1f8cdf6cdf7baea139bf02
                                                  • Instruction Fuzzy Hash: C5212676600204ABDB10DF68EC84AA67BE8FFC8310F154469EB049B301D736E945DBE0
                                                  Function 1000E5B0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60registryfilestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000E5EA
                                                  • lstrlenA.KERNEL32 ref: 1000E609
                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 1000E612
                                                  • CloseHandle.KERNEL32(00000000), ref: 1000E619
                                                  • RegCreateKeyA.ADVAPI32(80000001,TGByte\Setup,?), ref: 1000E62E
                                                  • RegSetValueExA.ADVAPI32(00000000,Host,00000000,00000001,?), ref: 1000E650
                                                  • RegCloseKey.ADVAPI32(?), ref: 1000E65B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateFile$HandleValueWritelstrlen
                                                  • String ID: C:\ProgramData\Microsoft Drive\Host.sys$Host$TGByte\Setup
                                                  • API String ID: 1763583472-3579490797
                                                  • Opcode ID: 3c72f0055c499f351d9c69bb76d358f610eb38518ca91f6f01103dca83156795
                                                  • Instruction ID: 77af767004de95c6ec99707751be97fa26c4c007db1504f7e5df3f5080d650d4
                                                  • Opcode Fuzzy Hash: 3c72f0055c499f351d9c69bb76d358f610eb38518ca91f6f01103dca83156795
                                                  • Instruction Fuzzy Hash: 9E11A375100310BBE320DB68CC49FEB7BADFB89751F044A18F659A21D0DBB4A8058BA2
                                                  Function 10023D00 Relevance: 16.7, APIs: 11, Instructions: 175sleepnetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • select.WS2_32(?,?,00000000,00000000,00000000), ref: 10023D9A
                                                  • _errno.MSVCRT ref: 10023DA4
                                                  • __WSAFDIsSet.WS2_32(?,?), ref: 10023DBC
                                                  • __WSAFDIsSet.WS2_32(?,?), ref: 10023DD2
                                                  • recvfrom.WS2_32(00000010,?,00001FF6,00000000,?,00000010), ref: 10023E0C
                                                  • inet_addr.WS2_32(00000000), ref: 10023E8D
                                                  • htons.WS2_32(?), ref: 10023E9C
                                                  • Sleep.KERNEL32(00000005), ref: 10023ECC
                                                  • Sleep.KERNEL32(00000005,?,?), ref: 10023F37
                                                  • closesocket.WS2_32 ref: 10023F4C
                                                  • closesocket.WS2_32(?), ref: 10023F52
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleepclosesocket$_errnohtonsinet_addrrecvfromselect
                                                  • String ID:
                                                  • API String ID: 1415794423-0
                                                  • Opcode ID: 6df6ff11d769b684a62b0966e0b602471fdf7786851801ab43aab968e0e1c4fd
                                                  • Instruction ID: 526c464df8ce17cb72c57ff37cbb3dc0b2e5127f8a28d9ed385b909f9f69fec1
                                                  • Opcode Fuzzy Hash: 6df6ff11d769b684a62b0966e0b602471fdf7786851801ab43aab968e0e1c4fd
                                                  • Instruction Fuzzy Hash: F461A074508381ABD710CF24EC44AABB7F4FFC4714F408A2EF99997250E774D9098B66
                                                  Function 10023B10 Relevance: 16.7, APIs: 11, Instructions: 151stringnetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strchr.MSVCRT ref: 10023B29
                                                  • atoi.MSVCRT(?), ref: 10023B56
                                                  • strchr.MSVCRT ref: 10023B98
                                                  • strncpy.MSVCRT ref: 10023BCF
                                                  • strchr.MSVCRT ref: 10023BDB
                                                  • strncpy.MSVCRT ref: 10023C03
                                                  • strncpy.MSVCRT ref: 10023C1F
                                                  • InitializeCriticalSection.KERNEL32(1012C508), ref: 10023C86
                                                    • Part of subcall function 10023A10: WSAStartup.WS2_32(00000202,?), ref: 10023A21
                                                    • Part of subcall function 10023A10: socket.WS2_32(00000002,00000001,00000006), ref: 10023A35
                                                    • Part of subcall function 10023A10: htons.WS2_32 ref: 10023A68
                                                    • Part of subcall function 10023A10: bind.WS2_32 ref: 10023A83
                                                    • Part of subcall function 10023A10: listen.WS2_32(00000000,00000032), ref: 10023A94
                                                  • WSACleanup.WS2_32 ref: 10023C91
                                                  • DeleteCriticalSection.KERNEL32(1012C508), ref: 10023C9C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strchrstrncpy$CriticalSection$CleanupDeleteInitializeStartupatoibindhtonslistensocket
                                                  • String ID:
                                                  • API String ID: 2616448033-0
                                                  • Opcode ID: b3e819960a5ceb772749df472572fff6845e508e6a232be90d491a19d2ba0dc7
                                                  • Instruction ID: 389e13c2c4ed3a1267702f136a6e221e616880a063256ef4c28e1067461a3ad5
                                                  • Opcode Fuzzy Hash: b3e819960a5ceb772749df472572fff6845e508e6a232be90d491a19d2ba0dc7
                                                  • Instruction Fuzzy Hash: FA41C0766006081BD32C96789C458BB7BD5FBC4320F554B2EFA2B936D0DEB4EA088295
                                                  Function 100089F0 Relevance: 16.6, APIs: 11, Instructions: 136stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                                                  • String ID:
                                                  • API String ID: 3289936468-0
                                                  • Opcode ID: 0dd721cf81c20e6a7698efb1a4a3b03771bafae10b7b11cfc38245ae795d8177
                                                  • Instruction ID: c614f76b29358a3fda3e897671393add0d389b4ba00e88ce342a7451a82b3d62
                                                  • Opcode Fuzzy Hash: 0dd721cf81c20e6a7698efb1a4a3b03771bafae10b7b11cfc38245ae795d8177
                                                  • Instruction Fuzzy Hash: 8241E8B4D046559FF721CF188C447AEBBE4FB0A6E0F14066AE8D5A3645C3344A02CFA6
                                                  Function 10011330 Relevance: 16.6, APIs: 11, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #540.MFC42 ref: 10011358
                                                  • #858.MFC42(00000004), ref: 10011376
                                                  • #922.MFC42(?,00000000,00000000,?,?,?,?), ref: 100113A9
                                                  • #858.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113B8
                                                  • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113C6
                                                  • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113D4
                                                  • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 100113E1
                                                  • #939.MFC42(00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?), ref: 10011409
                                                  • #800.MFC42(00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?), ref: 10011416
                                                  • #535.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 10011426
                                                  • #800.MFC42(00000000,?,00000000,00000000,?,?,?,?), ref: 10011438
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #800$#858$#535#540#922#939
                                                  • String ID:
                                                  • API String ID: 1721966335-0
                                                  • Opcode ID: d3eaab9370e68b490d7de8f8f62eee078f09842f4a933f1445def97a6244d3b3
                                                  • Instruction ID: 1068962097da1abb9be03f2cf21bec5754a184422a1b80b0b6d5662a040d76a2
                                                  • Opcode Fuzzy Hash: d3eaab9370e68b490d7de8f8f62eee078f09842f4a933f1445def97a6244d3b3
                                                  • Instruction Fuzzy Hash: 7D319A79108381ABC305DB68D551F9FBBE9EF98A14F400A1DF49993282DB34E608C767
                                                  Function 10019680 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87servicesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000008), ref: 100196A1
                                                  • OpenServiceA.ADVAPI32(00000000,?,00000002), ref: 100196D9
                                                  • LockServiceDatabase.ADVAPI32(00000000), ref: 100196E2
                                                  • ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10019728
                                                  • UnlockServiceDatabase.ADVAPI32(00000000), ref: 10019733
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10019740
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 10019743
                                                  • Sleep.KERNEL32(000000C8), ref: 1001974A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseDatabaseHandleProcess$ChangeConfigCurrentLockManagerSleepTokenUnlock
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2207141857-2896544425
                                                  • Opcode ID: 2f3acc30e24ab5a10817afa1dfb6eda61875a7786e2a6d68692a696860b2cb32
                                                  • Instruction ID: dc65207eb95ef46fdda0787c0b6e18c9b4e2414683cc893defa47448b081054d
                                                  • Opcode Fuzzy Hash: 2f3acc30e24ab5a10817afa1dfb6eda61875a7786e2a6d68692a696860b2cb32
                                                  • Instruction Fuzzy Hash: D2213D3925411467E320AB789C4AFEB3B98FB94760F140326FA199B2C1DD74EC448675
                                                  Function 1001AA20 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00000000,774C83C0,774D32C0,774D23A0), ref: 1001AAA6
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000,774C83C0,774D32C0,774D23A0), ref: 1001AAE3
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,774C83C0,774D32C0,774D23A0), ref: 1001AAF3
                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,00000000,774C83C0,774D32C0,774D23A0), ref: 1001AB03
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,774C83C0,774D32C0,774D23A0), ref: 1001AB0A
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00000000,774C83C0,774D32C0,774D23A0), ref: 1001AB11
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$#823lstrlen$AddressCloseCreateHandleLibraryLoadProcReadSize
                                                  • String ID: BITS$C:\ProgramData\Microsoft Drive\BITS.sys$TGByte\Setup
                                                  • API String ID: 1069036285-946259135
                                                  • Opcode ID: 5a94f7587d8c9009ace8e15a0aa4a76d818b3a8cac7c22567c57c3c87f9c405e
                                                  • Instruction ID: 37052403d1830ee5bbc2a658acef88262f79e6c9eb3fb75476596a4dbd9106d3
                                                  • Opcode Fuzzy Hash: 5a94f7587d8c9009ace8e15a0aa4a76d818b3a8cac7c22567c57c3c87f9c405e
                                                  • Instruction Fuzzy Hash: 15210731204750AFE310CB68CC91BEBB7D9FB89350F444A2CFA49972D0DA755A05CBA1
                                                  Function 10019850 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78servicesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1001B690: GetCurrentProcess.KERNEL32(00000028,00000000,00000001,?,?), ref: 1001B69A
                                                    • Part of subcall function 1001B690: OpenProcessToken.ADVAPI32(00000000), ref: 1001B6A1
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10019871
                                                  • OpenServiceA.ADVAPI32(00000000,?,00000034), ref: 100198A9
                                                  • QueryServiceStatus.ADVAPI32(00000000,?), ref: 100198B7
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 100198DA
                                                  • ControlService.ADVAPI32(00000000,00000001,?), ref: 100198ED
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 100198FA
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 100198FD
                                                  • Sleep.KERNEL32(000000C8), ref: 10019904
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseHandleProcess$ControlCurrentManagerQuerySleepStartStatusToken
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 3878120848-2896544425
                                                  • Opcode ID: 3686d3d753bd6d724ea35e6a9d07ba9d6be5f52da5a1c1b2a9d2d1cb915500a3
                                                  • Instruction ID: 50e31cc6d71f3cb09cdeb76e9080be0a7887b9f28361484d1c1b8db58f74100a
                                                  • Opcode Fuzzy Hash: 3686d3d753bd6d724ea35e6a9d07ba9d6be5f52da5a1c1b2a9d2d1cb915500a3
                                                  • Instruction Fuzzy Hash: C721EB352502146BE714EB609C8AFBF77D4FB88350F15061AFA0A9A1C0EEB4AD448665
                                                  Function 10029670 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 100296A0
                                                  • GetCurrentProcess.KERNEL32(?), ref: 100296AB
                                                  • IsWow64Process.KERNEL32(00000000), ref: 100296B2
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 100296FD
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 10029717
                                                  • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 1002973C
                                                  • CloseHandle.KERNEL32(00000000), ref: 10029745
                                                  Strings
                                                  • \system32\drivers\etc\hosts, xrefs: 100296C9
                                                  • \sysnative\drivers\etc\hosts, xrefs: 100296C2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Process$AttributesCloseCreateCurrentDirectoryHandleWindowsWow64Write
                                                  • String ID: \sysnative\drivers\etc\hosts$\system32\drivers\etc\hosts
                                                  • API String ID: 4291671391-1011561390
                                                  • Opcode ID: 6d2aab1879e50ae919526baaebbd9e7b13688cea601f4d7427907524a0e0ee94
                                                  • Instruction ID: 8e788a18e3254e479bb86b2ded3e25cb8691feeec2c8d09929d15b61de345cee
                                                  • Opcode Fuzzy Hash: 6d2aab1879e50ae919526baaebbd9e7b13688cea601f4d7427907524a0e0ee94
                                                  • Instruction Fuzzy Hash: A421C5352043056BE324DB78DC49F9B7B98FB84720F140F2CFA9A972D0DBB0990987A1
                                                  Function 10008080 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #2614.MFC42(?,?,10007AFF), ref: 10008084
                                                  • #860.MFC42(*.*,?,?,10007AFF), ref: 10008091
                                                  • #3811.MFC42(?,*.*,?,?,10007AFF), ref: 100080B2
                                                  • #3811.MFC42(?,?,*.*,?,?,10007AFF), ref: 100080C1
                                                  • #3811.MFC42(?,?,?,*.*,?,?,10007AFF), ref: 100080D0
                                                  • #3811.MFC42(?,?,?,?,*.*,?,?,10007AFF), ref: 100080DF
                                                  • #3811.MFC42(?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080EE
                                                  • #3811.MFC42(?,?,?,?,?,?,*.*,?,?,10007AFF), ref: 100080FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #3811$#2614#860
                                                  • String ID: *.*
                                                  • API String ID: 4293058641-438819550
                                                  • Opcode ID: 9a1bd5b303f82e1101b9f388daf2ff61e48d11c0f8e37bea33aad176008b9ec5
                                                  • Instruction ID: 666ce54a2a265a37b10a0135446347dcc930d7d9a3e7cb816894ca7fb184fd78
                                                  • Opcode Fuzzy Hash: 9a1bd5b303f82e1101b9f388daf2ff61e48d11c0f8e37bea33aad176008b9ec5
                                                  • Instruction Fuzzy Hash: 5D11B3B5404B059FC7A4CFA5D681946BBE5FE886007848A2EA18AC7A24E770F504DF50
                                                  Function 100059D0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 47libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,MultiByteToWideChar,.23,00000000,?,00000000,10005979,?,?), ref: 100059E4
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100059ED
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA,?,00000000,10005979,?,?), ref: 100059FB
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100059FE
                                                  • malloc.MSVCRT ref: 10005A1F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc$malloc
                                                  • String ID: .23$KERNEL32.dll$MultiByteToWideChar$lstrlenA
                                                  • API String ID: 1625907898-566195008
                                                  • Opcode ID: 5775f1e7eb7e2f5d9e18227d5eded49f95364944b1adf940be7b042424f80c18
                                                  • Instruction ID: cce5c33cb54e4e20ebcd19e924e9cf720d43bdeab14a6bb2b58a7cbeabffb214
                                                  • Opcode Fuzzy Hash: 5775f1e7eb7e2f5d9e18227d5eded49f95364944b1adf940be7b042424f80c18
                                                  • Instruction Fuzzy Hash: A5F0C8E25403196BE620ABB48C46E7BB7ECEF85351F05482AF545D3240DA68E8008771
                                                  Function 10018200 Relevance: 15.2, APIs: 10, Instructions: 153sleepwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10018A20: ReleaseDC.USER32(00000000,?), ref: 10018A38
                                                    • Part of subcall function 10018A20: GetDC.USER32(00000000), ref: 10018A40
                                                  • GetCursorPos.USER32(?), ref: 10018246
                                                  • GetSystemMetrics.USER32(00000000), ref: 10018255
                                                  • _ftol.MSVCRT ref: 10018273
                                                  • _ftol.MSVCRT ref: 10018288
                                                  • GetCursorInfo.USER32(?,?,00000008), ref: 100182AE
                                                  • DestroyCursor.USER32(?), ref: 100182D9
                                                  • BitBlt.GDI32(?,00000000,00000000,10016B8A,?,?,00000000,00000000,?), ref: 1001831C
                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 10018373
                                                  • Sleep.KERNEL32(00000001), ref: 10018393
                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 1001839C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Cursor$CounterPerformanceQuery_ftol$DestroyInfoMetricsReleaseSleepSystem
                                                  • String ID:
                                                  • API String ID: 2306850792-0
                                                  • Opcode ID: bb3ab1a7d1fb864ae3465332f95efda82989cf761ace87dd28a93c5291d193c7
                                                  • Instruction ID: ed20b3c1f5c79fd808ca28f3e705cb4aa4f98cfa336912cfc5d34cc1cf5afb6b
                                                  • Opcode Fuzzy Hash: bb3ab1a7d1fb864ae3465332f95efda82989cf761ace87dd28a93c5291d193c7
                                                  • Instruction Fuzzy Hash: 43517B75204B019FE324DF29C890B5BB7E5FB88700F544A1DF6A69B290E770FA85CB61
                                                  Function 10018000 Relevance: 15.1, APIs: 10, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReleaseDC.USER32(00000000,?), ref: 10018034
                                                  • DeleteDC.GDI32(?), ref: 10018044
                                                  • DeleteDC.GDI32(?), ref: 1001804A
                                                  • DeleteDC.GDI32(?), ref: 10018050
                                                  • DeleteObject.GDI32(?), ref: 1001805C
                                                  • DeleteObject.GDI32(?), ref: 10018062
                                                  • #825.MFC42(?,?,?,?,?,?,?,10098B7C,000000FF,10017FE8), ref: 10018083
                                                  • #825.MFC42(?,?,?,?,?,?,?,10098B7C,000000FF,10017FE8), ref: 10018093
                                                  • #825.MFC42(?,?,?,?,?,?,?,10098B7C,000000FF,10017FE8), ref: 100180A3
                                                  • DestroyCursor.USER32(?), ref: 100180C9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Delete$#825$Object$CursorDestroyRelease
                                                  • String ID:
                                                  • API String ID: 719826280-0
                                                  • Opcode ID: 90877511eecfd0b4e7a431cebd02d7416917aa731a6839dde4062e1f4328a9cd
                                                  • Instruction ID: ee9c09a91b7e4212c511851f40033770f7d05fd05274aa2e52ec135f7c4494b2
                                                  • Opcode Fuzzy Hash: 90877511eecfd0b4e7a431cebd02d7416917aa731a6839dde4062e1f4328a9cd
                                                  • Instruction Fuzzy Hash: 8921BFB6600B049BE620DF65CC80B57B3ECFF88610F050A1DE59A97790CB79F9048BA1
                                                  Function 1002C380 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1002BE50: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1002BE71
                                                    • Part of subcall function 1002BE50: Process32First.KERNEL32(00000000,00000000), ref: 1002BE8B
                                                    • Part of subcall function 1002BE50: _strcmpi.MSVCRT ref: 1002BEA7
                                                    • Part of subcall function 1002BE50: Process32Next.KERNEL32(00000000,?), ref: 1002BEB6
                                                    • Part of subcall function 1002BE50: CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1002BEC0
                                                  • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 1002C3E2
                                                  • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 1002C3FC
                                                  • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 1002C422
                                                  • #823.MFC42(?), ref: 1002C42F
                                                  • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 1002C451
                                                  • #823.MFC42(00000100), ref: 1002C473
                                                  • LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000100,?,00000104,?), ref: 1002C4A3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Token$#823InformationOpenProcessProcess32$AccountCloseCreateFirstHandleLookupNextSnapshotToolhelp32_strcmpi
                                                  • String ID: explorer.exe
                                                  • API String ID: 1409679202-3187896405
                                                  • Opcode ID: cdf207af64fab364c8e5cf922331446714e2d043d2f38fccba7b385bc9961bc5
                                                  • Instruction ID: 473375eb415be4f23099c9e5e37f9ddbe1d6da3e806a8c1c49872e14675b6481
                                                  • Opcode Fuzzy Hash: cdf207af64fab364c8e5cf922331446714e2d043d2f38fccba7b385bc9961bc5
                                                  • Instruction Fuzzy Hash: D2412CB6D00228AFDB51EF99EC85FEEBBB8FB48710F10415AF509A3240D6715A40CFA0
                                                  Function 10028620 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: sprintfwsprintf$FileModuleName
                                                  • String ID: %s:%d
                                                  • API String ID: 2407558147-1029262843
                                                  • Opcode ID: f1ef188187d78e0a16907e5f11dc61552a00540253b1ccd5cdf84df255ce1727
                                                  • Instruction ID: e815397db5246e6f6802c68306d9717a4aee6575a3eb06acbc3571d740056e5a
                                                  • Opcode Fuzzy Hash: f1ef188187d78e0a16907e5f11dc61552a00540253b1ccd5cdf84df255ce1727
                                                  • Instruction Fuzzy Hash: DC21F27A4042096FD224C724DC84FEBB3D8EFE8310F45492DFA9893140EBF46A468B92
                                                  Function 10026C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10026C36
                                                  • lstrcatA.KERNEL32(?,?), ref: 10026C48
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000), ref: 10026C65
                                                  • SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 10026C76
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10026C93
                                                  • CloseHandle.KERNEL32(00000000), ref: 10026C9A
                                                  • LocalFree.KERNEL32(?), ref: 10026CCA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateDirectoryFreeHandleLocalPointerSystemWritelstrcat
                                                  • String ID: p
                                                  • API String ID: 3379061965-2181537457
                                                  • Opcode ID: dff563a2350ad42211304f3934d3364c625aae18de2b9c5e09d3b81c4ae3f541
                                                  • Instruction ID: 60c71b90a0802acaa0e5dbf25da7476a72f7519069fb5f0452f7d82c481299c6
                                                  • Opcode Fuzzy Hash: dff563a2350ad42211304f3934d3364c625aae18de2b9c5e09d3b81c4ae3f541
                                                  • Instruction Fuzzy Hash: 8621DE75244305ABE310DF58CC85FDBB7E8FBC8704F044A1DF68996190D774A608CBA2
                                                  Function 100291D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56threadprocessinjectionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 100290C0: GetCurrentProcess.KERNEL32(00000028), ref: 100290D0
                                                    • Part of subcall function 100290C0: OpenProcessToken.ADVAPI32(00000000), ref: 100290D7
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 100291FA
                                                  • Thread32First.KERNEL32(00000000,0000001C), ref: 1002920B
                                                  • OpenThread.KERNEL32(001F03FF,00000000,?,?,?,00000000,0000001C,00000004,00000000), ref: 10029240
                                                  • SuspendThread.KERNEL32(00000000,?,?,00000000,0000001C,00000004,00000000), ref: 10029245
                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,0000001C,00000004,00000000), ref: 10029248
                                                  • Thread32Next.KERNEL32(00000000,?), ref: 10029254
                                                  • CloseHandle.KERNEL32(00000000,00000000,0000001C,00000004,00000000), ref: 10029260
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleOpenProcessThreadThread32$CreateCurrentFirstNextSnapshotSuspendTokenToolhelp32
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 3882456823-2896544425
                                                  • Opcode ID: 21207cfc81d0fa30fd38e5c79fccdacdf40486e218a730a008db783386ba6bf6
                                                  • Instruction ID: 0dba8d27cde3c0ec8bc65889917dbe9669003c362c892a02e3719d3f6e3c27b7
                                                  • Opcode Fuzzy Hash: 21207cfc81d0fa30fd38e5c79fccdacdf40486e218a730a008db783386ba6bf6
                                                  • Instruction Fuzzy Hash: A201A135201314BFE600DB559C81FAFB3E8FFC5650F854919FA4457280E771AD08CBA6
                                                  Function 10024B40 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B60
                                                  • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B80
                                                  • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024B94
                                                  • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024BA8
                                                  • WTSFreeMemory.WTSAPI32(?,00000000,?,00000010,?,?,?,?,?,?,?), ref: 10024BBB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeMemory$InformationQuerySession
                                                  • String ID: Console$ICA$RDP
                                                  • API String ID: 2964284127-2419630658
                                                  • Opcode ID: df0e8ef96ec19fe245753eb9cbf5e3512039306d11ed641a21aaf085ba578fda
                                                  • Instruction ID: 6fde5d2b94ba599e7f00ab1ebe28573773083349e123f0dd9148145d97b74e9b
                                                  • Opcode Fuzzy Hash: df0e8ef96ec19fe245753eb9cbf5e3512039306d11ed641a21aaf085ba578fda
                                                  • Instruction Fuzzy Hash: 1B01F5B6618221678504EB5CBC418EBB2E8EB90A55F49442EF944D7200E630ED1CCBF6
                                                  Function 1002ADF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 52registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,?), ref: 1002AE32
                                                  • RegQueryValueExA.ADVAPI32(00000050,Favorites,00000000,00000000,00000000,00000050), ref: 1002AE53
                                                  • RegCloseKey.ADVAPI32(?), ref: 1002AE5E
                                                  • LocalAlloc.KERNEL32(00000040,00002710), ref: 1002AE6B
                                                    • Part of subcall function 1002AB10: lstrcatA.KERNEL32(00000000,?), ref: 1002AB66
                                                    • Part of subcall function 1002AB10: lstrcatA.KERNEL32(00000000,\*.*), ref: 1002AB75
                                                    • Part of subcall function 1002AB10: FindFirstFileA.KERNEL32(00000000,?), ref: 1002AB91
                                                  • LocalReAlloc.KERNEL32(?,00000001,00000042), ref: 1002AEA0
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 1002AE28
                                                  • Favorites, xrefs: 1002AE4D
                                                  • P, xrefs: 1002AE18
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocLocallstrcat$CloseFileFindFirstOpenQueryValue
                                                  • String ID: Favorites$P$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                  • API String ID: 3779601296-2418616894
                                                  • Opcode ID: 81febcf26dc55b13852d1e9a2702c5849ee91f07527dce4e52869052a9741c18
                                                  • Instruction ID: 6913e7c7b63f66f2c2ac709f58474ede4dff9e42c83939d3ce10ecd427e6f85a
                                                  • Opcode Fuzzy Hash: 81febcf26dc55b13852d1e9a2702c5849ee91f07527dce4e52869052a9741c18
                                                  • Instruction Fuzzy Hash: 56118FB4204302BFE301DF14CC96F9A7BA5BB88704F504E1DF658A26A1D7B8A419CB66
                                                  Function 10029150 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46threadprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 100290C0: GetCurrentProcess.KERNEL32(00000028), ref: 100290D0
                                                    • Part of subcall function 100290C0: OpenProcessToken.ADVAPI32(00000000), ref: 100290D7
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 10029177
                                                  • Thread32First.KERNEL32(00000000,0000001C), ref: 10029184
                                                  • Thread32Next.KERNEL32(00000000,0000001C), ref: 1002919F
                                                  • OpenThread.KERNEL32(001F03FF,00000000,?,00000004,00000000), ref: 100291B2
                                                  • ResumeThread.KERNEL32(00000000), ref: 100291BB
                                                  • CloseHandle.KERNEL32(00000000), ref: 100291C2
                                                  • CloseHandle.KERNEL32(00000000,00000004,00000000), ref: 100291C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleOpenProcessThreadThread32$CreateCurrentFirstNextResumeSnapshotTokenToolhelp32
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2312015761-2896544425
                                                  • Opcode ID: 92575825664269da82754a126b87f41c0fa238dd4cdd121b5c861b03491c7cf0
                                                  • Instruction ID: 5baa37ad70a989ad156aa77d6f180d112f87292081aecf7063da644eb0796895
                                                  • Opcode Fuzzy Hash: 92575825664269da82754a126b87f41c0fa238dd4cdd121b5c861b03491c7cf0
                                                  • Instruction Fuzzy Hash: 9501A935244204BFF200EBA99C86FAF77A8FF85B90F844519FA0486281D671AD058BB7
                                                  Function 10017480 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 24libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(dwmapi.dll,10098B10,1001767F), ref: 10017486
                                                  • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 1001749F
                                                  • GetProcAddress.KERNEL32(00000000,DwmEnableComposition), ref: 100174AB
                                                    • Part of subcall function 10017460: #102.DWMAPI(00000000,100174B6), ref: 1001746B
                                                  • FreeLibrary.KERNEL32(00000000), ref: 100174B7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryProc$#102FreeLoad
                                                  • String ID: DwmEnableComposition$DwmIsCompositionEnabled$dwmapi.dll$Mw
                                                  • API String ID: 921056788-344633171
                                                  • Opcode ID: e7bc18532d82db7781f6db1b43c4f4c4d0ba297617c9142dcf3622deb4fcc179
                                                  • Instruction ID: ec8973c85b4295611fe6e660086daf7ad590bfada4181087f49f392a1ed51eb0
                                                  • Opcode Fuzzy Hash: e7bc18532d82db7781f6db1b43c4f4c4d0ba297617c9142dcf3622deb4fcc179
                                                  • Instruction Fuzzy Hash: 29E0123A502D3A679251F72D5C14DCF2AA8FF867E13464251FD08F6114DB24DD4289B6
                                                  Function 100151F0 Relevance: 13.7, APIs: 9, Instructions: 212registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10015221
                                                  • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000,?,00000000,000F003F,?), ref: 10015257
                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,00000000,000F003F,?), ref: 100152AB
                                                  • malloc.MSVCRT ref: 100152EC
                                                  • malloc.MSVCRT ref: 100152F7
                                                  • RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?), ref: 10015381
                                                  • free.MSVCRT ref: 10015418
                                                  • free.MSVCRT ref: 1001541F
                                                  • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10015428
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocLocalfreemalloc$EnumInfoOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 1291067549-0
                                                  • Opcode ID: 223ba89da2e7258f0a281b455369526f05dc9daf1ee0305a9c4ad9c3c2095615
                                                  • Instruction ID: bf3e5857093f2ce02f48be4dfb8f04d396de7b56441170d6bdfe1fa702288673
                                                  • Opcode Fuzzy Hash: 223ba89da2e7258f0a281b455369526f05dc9daf1ee0305a9c4ad9c3c2095615
                                                  • Instruction Fuzzy Hash: FA71C0716083059FD718CF28C880B6BBBE9FBC8745F484A1DF9869B350DA71EA44CB52
                                                  Function 100183C0 Relevance: 13.7, APIs: 9, Instructions: 154COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateRectRgnIndirect.GDI32(?), ref: 10018486
                                                  • GetRegionData.GDI32(00000000,00000000,00000000), ref: 1001851A
                                                  • #823.MFC42(00000000,?,?,?,?,?,?,00000001,?,?,?), ref: 1001851F
                                                  • GetRegionData.GDI32(00000000,00000000,00000000), ref: 10018530
                                                  • DeleteObject.GDI32(?), ref: 10018537
                                                  • #825.MFC42(00000000,00000000,00000000,?,?,00000001,?,?,?,?,?,?,?,?,?,10016B8A), ref: 10018547
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DataRegion$#823#825CreateDeleteIndirectObjectRect
                                                  • String ID:
                                                  • API String ID: 643377033-0
                                                  • Opcode ID: 001346d870f36c53a5a7599e2016c51c9870b5627219f4efa7edda646e5686e0
                                                  • Instruction ID: 3140f93dabf97cb7bd3e409eff6f417ecd497d9d1c0577791c74c40de05a7771
                                                  • Opcode Fuzzy Hash: 001346d870f36c53a5a7599e2016c51c9870b5627219f4efa7edda646e5686e0
                                                  • Instruction Fuzzy Hash: F85181B56087028BD314DF29D880A5BB7E6FFC8710F15492DF48ACB311EB74EA458B56
                                                  Function 10029E80 Relevance: 13.6, APIs: 9, Instructions: 85stringmemorywindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowTextA.USER32(?,?,000003FF), ref: 10029EA4
                                                  • IsWindowVisible.USER32 ref: 10029EB3
                                                  • lstrlenA.KERNEL32(?), ref: 10029ECC
                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 10029EDF
                                                  • LocalSize.KERNEL32 ref: 10029EEF
                                                  • lstrlenA.KERNEL32(?), ref: 10029F0D
                                                  • LocalReAlloc.KERNEL32(?,?,00000042), ref: 10029F19
                                                  • GetWindowThreadProcessId.USER32(?), ref: 10029F26
                                                  • lstrlenA.KERNEL32(?,?,?,?,00000042), ref: 10029F34
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalWindowlstrlen$Alloc$ProcessSizeTextThreadVisible
                                                  • String ID:
                                                  • API String ID: 925664022-0
                                                  • Opcode ID: bdfcf0507623c4ea93ccd5645be1c1770e5c62d3ec9ad61f7fed79ab38ba254a
                                                  • Instruction ID: add1fb3533e99334b1788f801bc1a9e543b8ff74f7df4c1f04976087df14b6d6
                                                  • Opcode Fuzzy Hash: bdfcf0507623c4ea93ccd5645be1c1770e5c62d3ec9ad61f7fed79ab38ba254a
                                                  • Instruction Fuzzy Hash: 2621027A2003469BE750DF24CC84BEB77A8FB84750F84452DFE49A3240DA35A80AC771
                                                  Function 10016530 Relevance: 13.6, APIs: 9, Instructions: 77synchronizationkeyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 1001656D
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 10016578
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 10016589
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 10016594
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 100165A3
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 100165AC
                                                  • ReleaseDC.USER32(00000000,?), ref: 100165B7
                                                    • Part of subcall function 100167E0: sprintf.MSVCRT ref: 1001682F
                                                    • Part of subcall function 100167E0: RegOpenKeyExA.ADVAPI32(?,?,00000000,00000002,?), ref: 1001686F
                                                    • Part of subcall function 100167E0: RegSetValueExA.ADVAPI32(?,SuppressDisableCompositionUI,00000000,00000004,?,00000004), ref: 1001688E
                                                    • Part of subcall function 100167E0: RegCloseKey.ADVAPI32(?), ref: 1001689D
                                                  • BlockInput.USER32(00000000,?,?,?,?,?,?,00000000,10098A46,000000FF,1000CC5B), ref: 100165CD
                                                  • DestroyCursor.USER32(00000000), ref: 1001660A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close$ExchangeHandleInterlockedObjectSingleWait$BlockCursorDestroyInputOpenReleaseValuesprintf
                                                  • String ID:
                                                  • API String ID: 1142494416-0
                                                  • Opcode ID: 4ceefefdeb35724f5cd5cb8af09bc795719a28882878dd3cc17cf0b47423efc6
                                                  • Instruction ID: d4b191a7be4f08d6e559449bda8c86e8365c3d0bd4d75666bcc753f4c4a699e3
                                                  • Opcode Fuzzy Hash: 4ceefefdeb35724f5cd5cb8af09bc795719a28882878dd3cc17cf0b47423efc6
                                                  • Instruction Fuzzy Hash: 00212C752407049BE614DB64CC81BD6B3E8FF88720F154A1DF26A972D0CBB5B901CB91
                                                  Function 1002C5D0 Relevance: 13.6, APIs: 9, Instructions: 66threadstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 1002C5E2
                                                  • GetThreadDesktop.USER32(00000000), ref: 1002C5E9
                                                  • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C61C
                                                  • OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1002C627
                                                  • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1002C64E
                                                  • lstrcmpiA.KERNEL32(?,?), ref: 1002C65D
                                                  • SetThreadDesktop.USER32(00000000), ref: 1002C668
                                                  • CloseDesktop.USER32(00000000), ref: 1002C680
                                                  • CloseDesktop.USER32(00000000), ref: 1002C683
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
                                                  • String ID:
                                                  • API String ID: 3718465862-0
                                                  • Opcode ID: 346a97fe3b554d6ea7b4bbaf12baa1f8d932fbe5d70e927d73db7af9313f27ee
                                                  • Instruction ID: 7203b97fb3658a15e50f8a55408f95546fea7e3c6eec87968affc7e345bb74f4
                                                  • Opcode Fuzzy Hash: 346a97fe3b554d6ea7b4bbaf12baa1f8d932fbe5d70e927d73db7af9313f27ee
                                                  • Instruction Fuzzy Hash: B811EB751043196BF310DF68DC4AFDB77D8FB84700F010D19F64592191EBB4A549C7A6
                                                  Function 10010EF0 Relevance: 13.6, APIs: 9, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F11
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F1F
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F2C
                                                  • #541.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F39
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F46
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F53
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F60
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F6D
                                                  • #540.MFC42(?,?,?,?,10098541,000000FF,10008360,1012B064,00000000,00000000), ref: 10010F90
                                                    • Part of subcall function 100110D0: #2614.MFC42(00000000,?), ref: 100110F5
                                                    • Part of subcall function 100110D0: #2614.MFC42(00000000,?), ref: 100110FD
                                                    • Part of subcall function 100110D0: #6143.MFC42(00000000,000000FF,00000000,?), ref: 10011110
                                                    • Part of subcall function 100110D0: #2614.MFC42(00000000,000000FF,00000000,?), ref: 1001111C
                                                    • Part of subcall function 100110D0: #860.MFC42(?,00000000,000000FF,00000000,000000FF,00000000,?), ref: 10011137
                                                    • Part of subcall function 100110D0: PathGetArgsA.SHLWAPI(00000000,?), ref: 10011172
                                                    • Part of subcall function 100110D0: #860.MFC42(00000000), ref: 1001117C
                                                    • Part of subcall function 100110D0: PathRemoveArgsA.SHLWAPI(00000000), ref: 10011186
                                                    • Part of subcall function 100110D0: PathUnquoteSpacesA.SHLWAPI(00000000,?), ref: 10011191
                                                    • Part of subcall function 100110D0: _splitpath.MSVCRT ref: 100111C5
                                                    • Part of subcall function 100110D0: #860.MFC42(?,?,?,?,?), ref: 100111D6
                                                    • Part of subcall function 100110D0: #860.MFC42(?,?,?,?,?,?), ref: 100111E8
                                                    • Part of subcall function 100110D0: #6876.MFC42(0000002F,0000005C,?,?,?,?,?,?), ref: 100111F3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #540$#860$#2614Path$Args$#541#6143#6876RemoveSpacesUnquote_splitpath
                                                  • String ID:
                                                  • API String ID: 882339912-0
                                                  • Opcode ID: bcae64db62a9173b5de6d8cd2ae765ea97d72524f73a260d54af00dd520cab45
                                                  • Instruction ID: b1f006ec1c09e58242ba318f60969b2c11d84897468487acfae0c13bde89da3f
                                                  • Opcode Fuzzy Hash: bcae64db62a9173b5de6d8cd2ae765ea97d72524f73a260d54af00dd520cab45
                                                  • Instruction Fuzzy Hash: DB213B780057818ED354CF59D642B6AFBE4FF94B10F40491DE4DA83682DB74B508CBB2
                                                  Function 10017C20 Relevance: 13.6, APIs: 9, Instructions: 57clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 10017C2A
                                                  • GetClipboardData.USER32(00000001), ref: 10017C36
                                                  • CloseClipboard.USER32 ref: 10017C46
                                                  • GlobalSize.KERNEL32(00000000), ref: 10017C55
                                                  • GlobalLock.KERNEL32(00000000), ref: 10017C5F
                                                  • #823.MFC42(00000001), ref: 10017C68
                                                  • GlobalUnlock.KERNEL32(?), ref: 10017C8F
                                                  • CloseClipboard.USER32 ref: 10017C95
                                                  • #825.MFC42(00000000), ref: 10017CA7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$Close$#823#825DataLockOpenSizeUnlock
                                                  • String ID:
                                                  • API String ID: 15072309-0
                                                  • Opcode ID: e4c83fdc53078b23110fe99408f6848a6625d633b3bafd07e91433b67cd46e05
                                                  • Instruction ID: 9d338dc67493be82bb18043d65382f3dd730fbe0f51d25364675624cb99999ab
                                                  • Opcode Fuzzy Hash: e4c83fdc53078b23110fe99408f6848a6625d633b3bafd07e91433b67cd46e05
                                                  • Instruction Fuzzy Hash: E001D6395046246FE710EB649C89ADB37A8FF44651F490228FD0ED7250EB75E904C6F2
                                                  Function 10016F10 Relevance: 13.6, APIs: 9, Instructions: 57clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 10016F1A
                                                  • GetClipboardData.USER32(00000001), ref: 10016F26
                                                  • CloseClipboard.USER32 ref: 10016F36
                                                  • GlobalSize.KERNEL32(00000000), ref: 10016F45
                                                  • GlobalLock.KERNEL32(00000000), ref: 10016F4F
                                                  • #823.MFC42(00000001), ref: 10016F58
                                                  • GlobalUnlock.KERNEL32(?), ref: 10016F7F
                                                  • CloseClipboard.USER32 ref: 10016F85
                                                  • #825.MFC42(00000000), ref: 10016F97
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$Close$#823#825DataLockOpenSizeUnlock
                                                  • String ID:
                                                  • API String ID: 15072309-0
                                                  • Opcode ID: 4072f59da86136a8181d21f34bb8e7e131716998d916dfe5853bc9eb5e6c99c2
                                                  • Instruction ID: 7427716a2ac4119ad4da49d555f0140185f668cd49e7d982ef33821d485bf08e
                                                  • Opcode Fuzzy Hash: 4072f59da86136a8181d21f34bb8e7e131716998d916dfe5853bc9eb5e6c99c2
                                                  • Instruction Fuzzy Hash: 2401DB395042246FE710EB64AC89AEB3798FF44701F484229FD0ED7200EB759904C6F1
                                                  Function 10022E40 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 146networksynchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(1012C508), ref: 10022E6A
                                                  • LeaveCriticalSection.KERNEL32(1012C508), ref: 10022E82
                                                    • Part of subcall function 10022D10: _strnicmp.MSVCRT ref: 10022D24
                                                  • send.WS2_32(?,HTTP/1.0 200 OK,?,00000000), ref: 10022F1E
                                                  • send.WS2_32(?,?,00000000,00000000), ref: 10022F94
                                                  • CreateThread.KERNEL32(00000000,00000000,10023F60,?,00000000,?), ref: 10022FBC
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00000000), ref: 10022FC9
                                                    • Part of subcall function 10022C80: atoi.MSVCRT(?), ref: 10022CB9
                                                    • Part of subcall function 100234D0: htons.WS2_32 ref: 100234F3
                                                    • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023509
                                                    • Part of subcall function 100234D0: inet_addr.WS2_32(?), ref: 10023527
                                                    • Part of subcall function 100234D0: socket.WS2_32(00000002,00000001,00000006), ref: 10023533
                                                    • Part of subcall function 100234D0: setsockopt.WS2_32 ref: 1002355E
                                                    • Part of subcall function 100234D0: connect.WS2_32(?,?,00000010), ref: 1002356E
                                                    • Part of subcall function 100234D0: closesocket.WS2_32 ref: 1002357C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSectioninet_addrsend$CreateEnterLeaveObjectSingleThreadWait_strnicmpatoiclosesocketconnecthtonssetsockoptsocket
                                                  • String ID: HTTP/1.0 200 OK
                                                  • API String ID: 599367761-2989790534
                                                  • Opcode ID: 3a83a345fa6cc43c5028e6a13932833ef39c1a9109f0475e0ed07c836c74516c
                                                  • Instruction ID: 6c495e11dbbe65a851730208be1e1eec0c6c7a4ac8f1e434506d01e3ea796d72
                                                  • Opcode Fuzzy Hash: 3a83a345fa6cc43c5028e6a13932833ef39c1a9109f0475e0ed07c836c74516c
                                                  • Instruction Fuzzy Hash: 3341E135604205ABD760CBA4ED84FAB77E8EB84354F504B28F94893284DA34ED45CBA2
                                                  Function 1002C070 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1002C0AA
                                                  • lstrlenA.KERNEL32 ref: 1002C0C9
                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 1002C0D2
                                                  • CloseHandle.KERNEL32(00000000), ref: 1002C0D9
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCrkat,?,00000000,0000002E,00000001), ref: 10014D10
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D19
                                                    • Part of subcall function 10014CA0: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA), ref: 10014D27
                                                    • Part of subcall function 10014CA0: GetProcAddress.KERNEL32(00000000), ref: 10014D2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFileLibraryLoadProc$CloseCreateHandleWritelstrlen
                                                  • String ID: BITS$C:\ProgramData\Microsoft Drive\BITS.sys$TGByte\Setup
                                                  • API String ID: 46210954-946259135
                                                  • Opcode ID: af8c7899827bfc83741b1d3830a02ff880f794bc520886e4f1cc45e81e84da78
                                                  • Instruction ID: adb6deec904987800fe85f6b3ecb473ff369c94e7e2e7fdca2e69a06bd759cd3
                                                  • Opcode Fuzzy Hash: af8c7899827bfc83741b1d3830a02ff880f794bc520886e4f1cc45e81e84da78
                                                  • Instruction Fuzzy Hash: D7116375104310BFE310DF18DC95BEBBBE9FB89710F444929FA48A72A1DB745909CBA2
                                                  Function 100124A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,10098376,000000FF), ref: 100124D5
                                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 100124E3
                                                  • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,10098376,000000FF), ref: 10012522
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,10098376,000000FF), ref: 1001252D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressCriticalDeleteFreeLoadProcSection
                                                  • String ID: closesocket$ws2_32.dll$Mw
                                                  • API String ID: 1041861973-3997281919
                                                  • Opcode ID: 7ec5b394c5dd60fd7d873c2236bf67511227bc33ef3d5c31afae368c8e1ea57f
                                                  • Instruction ID: 84a0c60808f6a2c03e40c6969a83a2f887d69962a4d8d2a11b52e44a2cc86ffd
                                                  • Opcode Fuzzy Hash: 7ec5b394c5dd60fd7d873c2236bf67511227bc33ef3d5c31afae368c8e1ea57f
                                                  • Instruction Fuzzy Hash: B0119EB55047459BC300DF28DC44B8AFBE8FF44760F400B29F86993390D77899548AA1
                                                  Function 1000BB20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39librarystringloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(user32.dll), ref: 1000BB2D
                                                  • GetProcAddress.KERNEL32(00000000,GetWindowTextA), ref: 1000BB3B
                                                  • strstr.MSVCRT ref: 1000BB74
                                                  • FreeLibrary.KERNEL32(00000000), ref: 1000BB90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProcstrstr
                                                  • String ID: GetWindowTextA$user32.dll$Mw
                                                  • API String ID: 1147820842-3207607595
                                                  • Opcode ID: 28f36ffa30f0b3a5c6eb8c5afc7a3e3c44126d1935c80ebebe4283bddbf57439
                                                  • Instruction ID: 20ad0ba14054967af191ad90f6f60be9464bb0ccc7b687a2d9e76176f1de83c1
                                                  • Opcode Fuzzy Hash: 28f36ffa30f0b3a5c6eb8c5afc7a3e3c44126d1935c80ebebe4283bddbf57439
                                                  • Instruction Fuzzy Hash: E9F0C8395002506BF3219B2CCC84BEB7BE8FF84341F044924F94996254DBB99549C6A1
                                                  Function 100125D0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 30libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10012560: EnterCriticalSection.KERNEL32(?,?,?,1001246B,?,00000001,?,?,?,00000000,100988A8,000000FF,1000EB8A), ref: 1001256B
                                                    • Part of subcall function 10012560: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,100988A8,000000FF,1000EB8A), ref: 10012585
                                                  • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 100125F6
                                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 10012604
                                                  • FreeLibrary.KERNEL32(00000000), ref: 10012619
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
                                                  • String ID: 5$closesocket$ws2_32.dll$Mw
                                                  • API String ID: 2819327233-1087236393
                                                  • Opcode ID: 27ca07e9f078f202f3a329561812890b0cb509a05fc093fdfdbdbb04bf2e6fa4
                                                  • Instruction ID: 2761632c92e94d1a980d48baebd45236be465951dd9527d8c45c8e1131a91282
                                                  • Opcode Fuzzy Hash: 27ca07e9f078f202f3a329561812890b0cb509a05fc093fdfdbdbb04bf2e6fa4
                                                  • Instruction Fuzzy Hash: 83F0A77A100A116BD301EF1C9C84DDB77A8FF84752F440519FE4496201DB34E919C7B2
                                                  Function 10004CF0 Relevance: 12.2, APIs: 8, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _CxxThrowException.MSVCRT(?,100F59A0), ref: 10004DC3
                                                  • #823.MFC42(10004C7C,?,00000004,00000000,00000004,10004C8B,00000004,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10004E37
                                                  • #823.MFC42(00000000,?,?,?,00000000,10097CF0,000000FF,761123A0,10004C8B,?,00000000), ref: 10004E48
                                                  • #825.MFC42(00000000,00000000,?,?,?), ref: 10004EAE
                                                  • #825.MFC42(00000000,00000000,00000000,?,?,?), ref: 10004EB4
                                                  • _CxxThrowException.MSVCRT(?), ref: 10004ED1
                                                  • #825.MFC42(?,?,?,?,?,00000000,10097CF0,000000FF,761123A0,10004C8B,?,00000000), ref: 10004EDE
                                                  • #825.MFC42(10097CF0,?,?,?,?,00000000,10097CF0,000000FF,761123A0,10004C8B,?,00000000), ref: 10004EEE
                                                    • Part of subcall function 10004FA0: _ftol.MSVCRT ref: 10004FDF
                                                    • Part of subcall function 10004FA0: #823.MFC42(00000000), ref: 10004FE9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825$#823$ExceptionThrow$_ftol
                                                  • String ID:
                                                  • API String ID: 3722084872-0
                                                  • Opcode ID: c76f4588f4861e8b0e5033ec5df18216b91fc0f614261ac88326526c7a5f0dfa
                                                  • Instruction ID: a565fb7e3d51c96f679dbc9a240e4393d41c51425d2560a9ab3a27c4c36f4040
                                                  • Opcode Fuzzy Hash: c76f4588f4861e8b0e5033ec5df18216b91fc0f614261ac88326526c7a5f0dfa
                                                  • Instruction Fuzzy Hash: 9F51B4B5A002099BEF00DF64C881FEEB7B9EF48680F014029F905AB345DF34B9058B95
                                                  Function 10018DF0 Relevance: 12.2, APIs: 8, Instructions: 169sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 100193B0: ReleaseDC.USER32(?,?), ref: 100193CA
                                                    • Part of subcall function 100193B0: GetDesktopWindow.USER32 ref: 100193D0
                                                    • Part of subcall function 100193B0: GetDC.USER32(00000000), ref: 100193DD
                                                  • GetCursorPos.USER32(?), ref: 10018E2A
                                                  • GetCursorInfo.USER32(?), ref: 10018E4B
                                                  • DestroyCursor.USER32(?), ref: 10018E74
                                                  • GetTickCount.KERNEL32 ref: 10018F68
                                                  • Sleep.KERNEL32(00000001), ref: 10018F7D
                                                  • GetTickCount.KERNEL32 ref: 10018F7F
                                                  • GetTickCount.KERNEL32 ref: 10018F8C
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 10018F90
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CountCursorTick$DesktopDestroyExchangeInfoInterlockedReleaseSleepWindow
                                                  • String ID:
                                                  • API String ID: 3294368536-0
                                                  • Opcode ID: 8e59e283545c54a72f066a9ea5b12339734f7a36fcbf472c7d2c7538942f2430
                                                  • Instruction ID: e3fc8f9c6b5c6e41deacf068d5df81eeb71275da08ab79c8efc0fdef42278ccd
                                                  • Opcode Fuzzy Hash: 8e59e283545c54a72f066a9ea5b12339734f7a36fcbf472c7d2c7538942f2430
                                                  • Instruction Fuzzy Hash: E45181752007049FD724DF28C884A6AB3E6FFC8350B544A2DF586CB651D730FA86CB61
                                                  Function 10015040 Relevance: 12.2, APIs: 8, Instructions: 159registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 10015071
                                                  • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,?,00000000,000F003F,?), ref: 100150A7
                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,00000000,000F003F,?), ref: 100150E6
                                                  • #823.MFC42(?,?,?,?,00000000,000F003F,?), ref: 10015123
                                                  • RegEnumKeyExA.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 10015178
                                                  • #825.MFC42(00000000), ref: 100151BD
                                                  • RegCloseKey.ADVAPI32(?), ref: 100151CA
                                                  • LocalReAlloc.KERNEL32(?,?,00000042), ref: 100151D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocLocal$#823#825CloseEnumInfoOpenQuery
                                                  • String ID:
                                                  • API String ID: 601778281-0
                                                  • Opcode ID: 386ab23e73b43c236b7575fa9931372d53038780aebd8f4f87453a7edb17ef88
                                                  • Instruction ID: 600140b6dcf1fc6ac8c34a45a6bb1d45401c0701896d249da74092682c530594
                                                  • Opcode Fuzzy Hash: 386ab23e73b43c236b7575fa9931372d53038780aebd8f4f87453a7edb17ef88
                                                  • Instruction Fuzzy Hash: 91517171604305AFD714DF28CC91B6BB7E9FB88610F584A2DF949DB380D635ED058BA2
                                                  Function 1000A3B0 Relevance: 12.1, APIs: 8, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A40F
                                                  • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A417
                                                  • memmove.MSVCRT(3B4208C4,?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A439
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000A44B
                                                  • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000A458
                                                  • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?,?,00000000,00000065), ref: 1000A460
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?,?,?), ref: 1000A497
                                                  • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(3B4208C4,00000001,?,?,?,00000000,?,-00000008,10097F61,000000FF,10009756,-00000008,?,?,?), ref: 1000A4D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@memmove
                                                  • String ID:
                                                  • API String ID: 1074130261-0
                                                  • Opcode ID: 9c78330a7592489e721474567922780b083d31e010480504787a7ba47f8834b6
                                                  • Instruction ID: 8f937d4beb23756cef0cc620a4d7fe7e7cbc97e07a2ad92db45a8aecb1b163fa
                                                  • Opcode Fuzzy Hash: 9c78330a7592489e721474567922780b083d31e010480504787a7ba47f8834b6
                                                  • Instruction Fuzzy Hash: B141D1396407549FD710CF19C8C869ABBE5FBC9BA0F44862EEC5A87351C7759D40CB40
                                                  Function 10022D10 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _strnicmp
                                                  • String ID: CONNECT $GET $HEAD $POST
                                                  • API String ID: 2635805826-4031508290
                                                  • Opcode ID: 886f7a63f99b196ae41177838b3b8e2e3ea46c4eb8c2afe82e05ed8670fe826b
                                                  • Instruction ID: 93003e4082bd94f015f04539fd21958abe71ea584706d56f1fed77de756fb000
                                                  • Opcode Fuzzy Hash: 886f7a63f99b196ae41177838b3b8e2e3ea46c4eb8c2afe82e05ed8670fe826b
                                                  • Instruction Fuzzy Hash: 76019E31300612ABE700EA6CFC00BCA73D9FFD5316F860466F940DB280E3B888058B95
                                                  Function 10003870 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: sprintf$floor
                                                  • String ID: %.0f
                                                  • API String ID: 389794084-4293663076
                                                  • Opcode ID: cb3f7aaaf6b266179aa8dd0ee4d912ea5967b7a82becc2bba026ec5a4ef99637
                                                  • Instruction ID: a274ceac6ce3522e1593489d29bd3f77ae1b15863641420014f16e45a4b04ce6
                                                  • Opcode Fuzzy Hash: cb3f7aaaf6b266179aa8dd0ee4d912ea5967b7a82becc2bba026ec5a4ef99637
                                                  • Instruction Fuzzy Hash: F0417CB1A04615A7F3028B54ED9879777ACFFC23D6F044261FE8892294DB21D974C7E2
                                                  Function 100252E0 Relevance: 10.6, APIs: 7, Instructions: 115stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mbstowcs.MSVCRT ref: 1002533C
                                                  • NetUserGetLocalGroups.NETAPI32(00000000,?,00000000,00000001,?,000000FF,?,?,000000FF,774D0440,1012C830), ref: 10025362
                                                  • wcslen.MSVCRT ref: 100253A2
                                                  • malloc.MSVCRT ref: 100253AA
                                                  • wsprintfA.USER32 ref: 100253BC
                                                  • strncpy.MSVCRT ref: 100253CD
                                                  • free.MSVCRT ref: 100253D4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: GroupsLocalUserfreemallocmbstowcsstrncpywcslenwsprintf
                                                  • String ID:
                                                  • API String ID: 4292357205-0
                                                  • Opcode ID: 860b1bcda722f66ef5b7ca5d212309183b7103327711cced61dc1363bdd465da
                                                  • Instruction ID: 5e7ec74c9f992581d681e196f1b1c67d5afcbc6acac8fa60ae93ef3b662d75d3
                                                  • Opcode Fuzzy Hash: 860b1bcda722f66ef5b7ca5d212309183b7103327711cced61dc1363bdd465da
                                                  • Instruction Fuzzy Hash: CD3145701083626FD315DF24DC809EBBBE8FB88315F400A2CF99AC3281DB71DA458B96
                                                  Function 1002CA20 Relevance: 10.6, APIs: 7, Instructions: 108networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 1002CAA5
                                                  • __WSAFDIsSet.WS2_32(?,00000001), ref: 1002CAB9
                                                  • recv.WS2_32(?,?,00002000,00000000), ref: 1002CAD2
                                                  • __WSAFDIsSet.WS2_32(?,00000001), ref: 1002CAFA
                                                  • recv.WS2_32(?,?,00002000,00000000), ref: 1002CB13
                                                  • closesocket.WS2_32 ref: 1002CB49
                                                  • closesocket.WS2_32(?), ref: 1002CB4C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: closesocketrecv$select
                                                  • String ID:
                                                  • API String ID: 2008065562-0
                                                  • Opcode ID: 02298cda23435bc61be9cfb09b1083414a9cd937f3c938150b9f4154a4cffdb6
                                                  • Instruction ID: fff26b3238a694f0a4db4817269bd6ab97932eb903be9958e3dfeeb9e780b3a5
                                                  • Opcode Fuzzy Hash: 02298cda23435bc61be9cfb09b1083414a9cd937f3c938150b9f4154a4cffdb6
                                                  • Instruction Fuzzy Hash: 1E31C67560835E6BE335CEA4DC86FEBB7DCEB40780F810869EA45D6182D774E90487A3
                                                  Function 10016640 Relevance: 10.6, APIs: 7, Instructions: 106synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 1001666A
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,10098A71,000000FF), ref: 10016675
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,10098A71,000000FF), ref: 10016682
                                                  • #823.MFC42(000001F0), ref: 100166B0
                                                  • #823.MFC42(000001F0), ref: 100166E1
                                                    • Part of subcall function 10017D20: LoadCursorA.USER32(00000000,00000000), ref: 10017DFF
                                                  • #823.MFC42(000001F0), ref: 10016708
                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 1001676D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$ExchangeInterlocked$CloseCursorHandleLoadObjectSingleWait
                                                  • String ID:
                                                  • API String ID: 3589420723-0
                                                  • Opcode ID: 0fe1d094d2ae649a4336e8b454c16dc9f549e546ef118597d430beb08463b978
                                                  • Instruction ID: 712e268baaa8dd016a258d9f4d26cd7f4b70a444460d0a0c6ff612943e0d7f80
                                                  • Opcode Fuzzy Hash: 0fe1d094d2ae649a4336e8b454c16dc9f549e546ef118597d430beb08463b978
                                                  • Instruction Fuzzy Hash: C331B274644704ABE720CB348C92FAA77E5FB4C714F000A2DF69A9A2C1DB75F580C752
                                                  Function 1002A000 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105sleeplibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation), ref: 1002A022
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002A029
                                                  • _ftol.MSVCRT ref: 1002A12D
                                                  • Sleep.KERNEL32(000003E8), ref: 1002A15E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProcSleep_ftol
                                                  • String ID: NtQuerySystemInformation$ntdll
                                                  • API String ID: 720640769-3593917365
                                                  • Opcode ID: a7f7c08883fa2cd4ac92000dd25a7eaf630aaed1c99f66e9453e5e11d1f88dbd
                                                  • Instruction ID: 4e918068f37cc84e614fe3734d20164f4e2383b52c7a867ab46e292cec08de5c
                                                  • Opcode Fuzzy Hash: a7f7c08883fa2cd4ac92000dd25a7eaf630aaed1c99f66e9453e5e11d1f88dbd
                                                  • Instruction Fuzzy Hash: F64184B5A083059FE310DF65DC85A8BB7E8FBC8750F418E2DF589E2250EF3199548B92
                                                  Function 10009430 Relevance: 10.6, APIs: 7, Instructions: 101stringfilememoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 1000947B
                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,00000000,?,?,00000000,00000065,000000FF), ref: 10009494
                                                  • GetFileSize.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094B7
                                                  • lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094C0
                                                  • LocalAlloc.KERNEL32(00000040,-0000000A,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094CE
                                                  • lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 100094FC
                                                  • LocalFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009524
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileLocallstrlen$AllocCloseCreateFreeHandleSize
                                                  • String ID:
                                                  • API String ID: 2793549963-0
                                                  • Opcode ID: 1d0de42e81ec7a97ed4485cc77a0b2a80b5f9abe04790932a430d9cbf81657f2
                                                  • Instruction ID: 308c1cce03677ded8cce1838fe27e550398bb3d797b3be4da8be1d4d23af97c4
                                                  • Opcode Fuzzy Hash: 1d0de42e81ec7a97ed4485cc77a0b2a80b5f9abe04790932a430d9cbf81657f2
                                                  • Instruction Fuzzy Hash: 0D3108327002145BD714DE78DC95B9AB2D6FB88621F484639FE1AD73C0DAB5A805C660
                                                  Function 100076F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000,?,?), ref: 1000771C
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000,?,?), ref: 10007792
                                                  • SetFilePointer.KERNEL32(00000000,?,?,00000000,?,?), ref: 100077A7
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 100077C4
                                                  • CloseHandle.KERNEL32(00000000,?,?), ref: 100077CB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateFolderHandlePathPointerSpecialWrite
                                                  • String ID: p
                                                  • API String ID: 2004626570-2181537457
                                                  • Opcode ID: db79ec1e1d2c2a338deb3c310fd97c6c46a2e7c23434e6060fbb021f232cdfea
                                                  • Instruction ID: 1e1907684de1c8bd89ee597228f05c738f3ecf463b7a0146f2a5c42f798544d2
                                                  • Opcode Fuzzy Hash: db79ec1e1d2c2a338deb3c310fd97c6c46a2e7c23434e6060fbb021f232cdfea
                                                  • Instruction Fuzzy Hash: 6331D7756447045BD318CA28CC45FABB796FBC8320F084B2DF95A972D0DAB49E05C751
                                                  Function 10004A60 Relevance: 10.6, APIs: 7, Instructions: 98networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10004F20: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                    • Part of subcall function 10004F20: CancelIo.KERNEL32(?), ref: 10004F57
                                                    • Part of subcall function 10004F20: InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                    • Part of subcall function 10004F20: closesocket.WS2_32(?), ref: 10004F73
                                                    • Part of subcall function 10004F20: SetEvent.KERNEL32(?), ref: 10004F80
                                                  • ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                  • socket.WS2_32 ref: 10004A86
                                                  • gethostbyname.WS2_32(?), ref: 10004AA6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$CancelExchangeInterlockedResetclosesocketgethostbynamesetsockoptsocket
                                                  • String ID:
                                                  • API String ID: 513860241-0
                                                  • Opcode ID: dd6fca4b14ea35cb6b5819fb0315a2d1409d462e86a20a94a99b707d4d32cf9b
                                                  • Instruction ID: 92d35607f8033a3118f145dcfa9d89b9a917cf27699ac872a687df5e96afb08c
                                                  • Opcode Fuzzy Hash: dd6fca4b14ea35cb6b5819fb0315a2d1409d462e86a20a94a99b707d4d32cf9b
                                                  • Instruction Fuzzy Hash: 0731CEB5244301AFE310DF28CC85FDB77E4FF85318F004A1DF2999A280DBB1A4888B66
                                                  Function 10011670 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #939.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000), ref: 100116CA
                                                  • #800.MFC42(00000000,00000004,?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000), ref: 100116DB
                                                  • #6282.MFC42(?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 100116ED
                                                  • #535.MFC42(00000030,?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 100116F9
                                                  • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 1001173E
                                                  • #535.MFC42(?,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 10011756
                                                    • Part of subcall function 10011790: #540.MFC42 ref: 100117B7
                                                    • Part of subcall function 10011790: #2818.MFC42(00000000, %c%s,?,?), ref: 100117E0
                                                    • Part of subcall function 10011790: #2763.MFC42(00000020), ref: 100117FD
                                                    • Part of subcall function 10011790: #537.MFC42(100FACDC,00000000,00000020), ref: 10011815
                                                    • Part of subcall function 10011790: #537.MFC42(100FB4F0,100FACDC,00000000,00000020), ref: 1001182A
                                                    • Part of subcall function 10011790: #922.MFC42(?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001183B
                                                    • Part of subcall function 10011790: #922.MFC42(?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001184C
                                                    • Part of subcall function 10011790: #939.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 1001185B
                                                    • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011869
                                                    • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011877
                                                    • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011885
                                                    • Part of subcall function 10011790: #800.MFC42(00000000,?,00000000,00000000,?,00000000,-0000000C,100FB4F0,100FACDC,00000000,00000020), ref: 10011893
                                                    • Part of subcall function 10011790: #535.MFC42(00000000), ref: 100118F0
                                                    • Part of subcall function 10011790: #800.MFC42(00000000), ref: 10011906
                                                  • #536.MFC42(00000000,00000001,00000000,00000000,00000001,00000000,00000003,100986D8,000000FF,100113FF,?,000000FF,00000000,?,00000000,00000000), ref: 10011766
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #800$#535$#537#922#939$#2763#2818#536#540#6282
                                                  • String ID:
                                                  • API String ID: 37758464-0
                                                  • Opcode ID: 3d700551163b542b38d8b03b5ef292303f94f415ddb6fbb6d07dd7c0df94b13e
                                                  • Instruction ID: a387ab11639bd89c7a433ae959a7e4b16c1de711adbd724f1b563dcecc6c226d
                                                  • Opcode Fuzzy Hash: 3d700551163b542b38d8b03b5ef292303f94f415ddb6fbb6d07dd7c0df94b13e
                                                  • Instruction Fuzzy Hash: 4F31B036304B509BC768DB19C980A5EB3E5FBC8660F844A2DF15A9B781CA34FD86CB51
                                                  Function 100178C0 Relevance: 10.6, APIs: 7, Instructions: 84keyboardwindowsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(0000000A), ref: 1001790C
                                                  • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 1001792A
                                                  • PostMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 1001793D
                                                  • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 10017959
                                                  • PostMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 1001796C
                                                    • Part of subcall function 100172E0: WaitForSingleObject.KERNEL32(?), ref: 10017309
                                                    • Part of subcall function 100172E0: CloseHandle.KERNEL32(?), ref: 10017316
                                                    • Part of subcall function 100172E0: #823.MFC42(00000110), ref: 1001733A
                                                  • BlockInput.USER32(?), ref: 1001797E
                                                    • Part of subcall function 10017CC0: GetSystemMetrics.USER32(00000000), ref: 10017CD7
                                                    • Part of subcall function 10017CC0: GetSystemMetrics.USER32(00000001), ref: 10017CE0
                                                  • BlockInput.USER32(00000000), ref: 100179B1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: System$BlockInfoInputMessageMetricsParametersPost$#823CloseHandleObjectSingleSleepWait
                                                  • String ID:
                                                  • API String ID: 3920574744-0
                                                  • Opcode ID: fafef813ed8a9c147f562dd6c35f089270f354d0bfb6d6f79d4d72cdd761d5b8
                                                  • Instruction ID: 7986ccb564aaef6e7677450f4a479ce91f482bd9a58eabc106b72063fd66a517
                                                  • Opcode Fuzzy Hash: fafef813ed8a9c147f562dd6c35f089270f354d0bfb6d6f79d4d72cdd761d5b8
                                                  • Instruction Fuzzy Hash: 9221083438034425DA14EA340C83FE92776EF42750F101538B75E6F1C3CDB5E88A8628
                                                  Function 10025870 Relevance: 10.6, APIs: 7, Instructions: 78stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000), ref: 10025889
                                                  • NetUserGetInfo.NETAPI32(00000000,00000000,00000003,?), ref: 100258B8
                                                    • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 10024614
                                                    • Part of subcall function 100245F0: #823.MFC42(00000002,?,00000000,00000000), ref: 10024621
                                                    • Part of subcall function 100245F0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1002463D
                                                  • NetUserSetInfo.NETAPI32(00000000,00000000,00000003,?,?,?), ref: 100258ED
                                                  • #825.MFC42(00000000,00000000,00000000,00000003,?,?,?), ref: 100258F5
                                                  • #825.MFC42(?,00000000,00000000,00000000,00000003,?,?,?), ref: 10025902
                                                  • NetApiBufferFree.NETAPI32(?), ref: 10025934
                                                  • LocalFree.KERNEL32(?), ref: 1002593E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825ByteCharFreeInfoMultiUserWide$#823BufferLocallstrlen
                                                  • String ID:
                                                  • API String ID: 1574401665-0
                                                  • Opcode ID: 4deef81ed9964ded4ef6be6e35d77e14c2eeece9479341862667b8981f28ec86
                                                  • Instruction ID: db542bc96f26d639f55d823ab568073f523843db7179ccf286ad23694a425397
                                                  • Opcode Fuzzy Hash: 4deef81ed9964ded4ef6be6e35d77e14c2eeece9479341862667b8981f28ec86
                                                  • Instruction Fuzzy Hash: 08217FB5608301AFD710DF68EC85E5BBAECEF94604F44042DF58597243EA74E94C8BA2
                                                  Function 100234D0 Relevance: 10.6, APIs: 7, Instructions: 67networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • htons.WS2_32 ref: 100234F3
                                                  • inet_addr.WS2_32(?), ref: 10023509
                                                  • inet_addr.WS2_32(?), ref: 10023527
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 10023533
                                                  • setsockopt.WS2_32 ref: 1002355E
                                                  • connect.WS2_32(?,?,00000010), ref: 1002356E
                                                  • closesocket.WS2_32 ref: 1002357C
                                                    • Part of subcall function 100232C0: gethostbyname.WS2_32(?), ref: 100232C5
                                                    • Part of subcall function 100232C0: inet_ntoa.WS2_32(00000000), ref: 100232D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: inet_addr$closesocketconnectgethostbynamehtonsinet_ntoasetsockoptsocket
                                                  • String ID:
                                                  • API String ID: 1372979013-0
                                                  • Opcode ID: a076db341b62b5e459f863378d388fcc54060c0c050763b1ff6fa81f446d88c2
                                                  • Instruction ID: 004383c3fc2686cea437f660dfe81f0b064d2de5a6b80219a309b61b1ccdcd83
                                                  • Opcode Fuzzy Hash: a076db341b62b5e459f863378d388fcc54060c0c050763b1ff6fa81f446d88c2
                                                  • Instruction Fuzzy Hash: 8B11AEB4904711ABE310DF289C85AABB7E8FF84360F548B1DF498D22D0E770D9448B92
                                                  Function 10017200 Relevance: 10.6, APIs: 7, Instructions: 66synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 1001723D
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 10017248
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 10017259
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 10017264
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 10017273
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,10098AD6,000000FF,1000CE1B), ref: 1001727C
                                                  • DestroyCursor.USER32(?), ref: 100172AC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExchangeHandleInterlockedObjectSingleWait$CursorDestroy
                                                  • String ID:
                                                  • API String ID: 2236516186-0
                                                  • Opcode ID: d8505e23fb446c41012494cd6b92a324ddedd58825db3cd10bd00a0c1f8eaa5b
                                                  • Instruction ID: ef58890a3e63d9af94dba857a36f85de578af6b60b018718c6a648def18a2e7e
                                                  • Opcode Fuzzy Hash: d8505e23fb446c41012494cd6b92a324ddedd58825db3cd10bd00a0c1f8eaa5b
                                                  • Instruction Fuzzy Hash: 12210B752007159FD224DB69CC80BD6B3E8FB89720F150B1EE6AA97390CBB5B8018B91
                                                  Function 1002CDD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53sleepthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000064,?,?), ref: 1002CDE1
                                                  • wsprintfA.USER32 ref: 1002CE0C
                                                  • closesocket.WS2_32(00000000), ref: 1002CE24
                                                  • TerminateThread.KERNEL32(?,00000000), ref: 1002CE5C
                                                  • CloseHandle.KERNEL32(1012E204), ref: 1002CE63
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleSleepTerminateThreadclosesocketwsprintf
                                                  • String ID: nsocket-di:%d
                                                  • API String ID: 1790861966-355283319
                                                  • Opcode ID: f89ebaabf47a92ddf1bda828b0714848bb622bc58e15f43499c97bf01b3781c8
                                                  • Instruction ID: 4dca771ee5c553c1d04bc90fe9dea56579fd1d2531aeb851653f8f82d9aa85bc
                                                  • Opcode Fuzzy Hash: f89ebaabf47a92ddf1bda828b0714848bb622bc58e15f43499c97bf01b3781c8
                                                  • Instruction Fuzzy Hash: 67116A39600236EBD710DB2CDCC4F823BE9F766354F658229E424D36B4D678E8568B94
                                                  Function 10026E00 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32 ref: 10026E26
                                                  • lstrcatA.KERNEL32(?,?), ref: 10026E38
                                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 10026E55
                                                  • CloseHandle.KERNEL32(00000000), ref: 10026E7D
                                                  • LocalFree.KERNEL32(?), ref: 10026E96
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateDirectoryFileFreeHandleLocalSystemlstrcat
                                                  • String ID: p
                                                  • API String ID: 3845662661-2181537457
                                                  • Opcode ID: 14b9efa5483a32bc41595b6595029f4fa2cd9a01486b53e31f71f9e7ac383b4f
                                                  • Instruction ID: 0d636d5cf498f0e200fc51c94bb837cf85bd2e6de4a3745d098e481c266d8e14
                                                  • Opcode Fuzzy Hash: 14b9efa5483a32bc41595b6595029f4fa2cd9a01486b53e31f71f9e7ac383b4f
                                                  • Instruction Fuzzy Hash: 10018074504301ABE720DF28DC89BDB77E4BB88714F448E1CF299961D0D7B8A548CBA2
                                                  Function 1000EA00 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32(00000000), ref: 1000EA0F
                                                  • GetSystemMetrics.USER32(00000001), ref: 1000EA13
                                                  • ChangeDisplaySettingsA.USER32 ref: 1000EA49
                                                  • ChangeDisplaySettingsA.USER32(?,00000001), ref: 1000EA56
                                                  • ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 1000EA66
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ChangeDisplaySettings$MetricsSystem
                                                  • String ID:
                                                  • API String ID: 840903655-3916222277
                                                  • Opcode ID: da8bcf99ab6d6381277834236ee77cd44cb5ccb353c2679cf74ed6f1b0556459
                                                  • Instruction ID: 9ef3ec576e7027de0717f9877b67978966fede7fd05d5f4f5218d1c1f9d83b39
                                                  • Opcode Fuzzy Hash: da8bcf99ab6d6381277834236ee77cd44cb5ccb353c2679cf74ed6f1b0556459
                                                  • Instruction Fuzzy Hash: F3F03A31A58324AAF720DB748D45F9B7AE4BF44B48F44091DB6589A1D0E7F5A4088F93
                                                  Function 1001AC50 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(ntdll.dll,?,00000000,1001B2AF,?,?,?), ref: 1001AC59
                                                  • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1001AC6B
                                                  • FreeLibrary.KERNEL32(00000000), ref: 1001AC95
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID: RtlGetNtVersionNumbers$ntdll.dll$Mw
                                                  • API String ID: 145871493-1869859099
                                                  • Opcode ID: 857581cc62fec56c2f26b76b4231ac71bb60c14760a08416454a7540d47a608a
                                                  • Instruction ID: 28536382927b9ec4cc5e25e0414645f0cdf118533e543cb68ac6ecf7c94cc895
                                                  • Opcode Fuzzy Hash: 857581cc62fec56c2f26b76b4231ac71bb60c14760a08416454a7540d47a608a
                                                  • Instruction Fuzzy Hash: C3F0307A3016226BD3619B29DC8899B77A9EFC6710B154928F808D7240D738D846C6B1
                                                  Function 100246B0 Relevance: 10.2, APIs: 8, Instructions: 199sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$atoi$CloseHandle
                                                  • String ID:
                                                  • API String ID: 3951340052-0
                                                  • Opcode ID: 9e872d0dc9b6fb0c54c458997fee4af1551ccc34132550f18af9ede343010c18
                                                  • Instruction ID: 34aff1f15ea7aacbc43a95f2ea04ce2127bf580518648efd0887930dc7eef893
                                                  • Opcode Fuzzy Hash: 9e872d0dc9b6fb0c54c458997fee4af1551ccc34132550f18af9ede343010c18
                                                  • Instruction Fuzzy Hash: AF41E63B31416016C554F729BC42FBFA764FBE5722F81442FF1869A281CE206C9B83B9
                                                  Function 10018570 Relevance: 9.1, APIs: 6, Instructions: 129windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDIBSection.GDI32(?,00000000,00000000,76A05D50,00000000,00000000), ref: 100185E1
                                                  • SelectObject.GDI32(00000000,00000000), ref: 100185EF
                                                  • BitBlt.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 1001860E
                                                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,?,00CC0020), ref: 1001862F
                                                  • DeleteObject.GDI32(?), ref: 10018685
                                                  • free.MSVCRT ref: 10018694
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object$CreateDeleteSectionSelectfree
                                                  • String ID:
                                                  • API String ID: 2595996717-0
                                                  • Opcode ID: ee283649881eec98d8cbad5e7b64363b03abddda214ff71c648d186bcbc73e34
                                                  • Instruction ID: fa73614132ced6616fd7bc227f346a67f57bb193df799f847b61321046b9127f
                                                  • Opcode Fuzzy Hash: ee283649881eec98d8cbad5e7b64363b03abddda214ff71c648d186bcbc73e34
                                                  • Instruction Fuzzy Hash: E34126B5600705AFD714DF68CC84E6BB7EAFB88600F14891DF98A8B390D670EE458B61
                                                  Function 100168D0 Relevance: 9.1, APIs: 6, Instructions: 121keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • BlockInput.USER32(00000000), ref: 10016966
                                                  • BlockInput.USER32(?,?,?), ref: 10016989
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 100169A0
                                                  • BlockInput.USER32(?,?,?), ref: 100169A9
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 100169C0
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 100169D9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BlockExchangeInputInterlocked
                                                  • String ID:
                                                  • API String ID: 3466551546-0
                                                  • Opcode ID: 7274aee29f7d4d2a2de31e6c4e64948058b118fdd37ba114e8c6fc55ca8315a3
                                                  • Instruction ID: bf2dd9b5654f157943e35733b8f3b73f0b93b8599c458bfd2c4311f32437dab4
                                                  • Opcode Fuzzy Hash: 7274aee29f7d4d2a2de31e6c4e64948058b118fdd37ba114e8c6fc55ca8315a3
                                                  • Instruction Fuzzy Hash: 3D31E33B30856157D284E738BC61EEFA755FFD9320B05892BF585DA241CA20E89683B0
                                                  Function 100244C0 Relevance: 9.1, APIs: 6, Instructions: 118stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: malloc$realloc$strstr
                                                  • String ID:
                                                  • API String ID: 686937093-0
                                                  • Opcode ID: 6c6eb5024497b7099948d6fa03faf251760030852925ab041fa65ee9e74f37cf
                                                  • Instruction ID: 77dd24013c4c70d5dbbb406fc0c88ef9f28fbba95e417396a5267408fea13c55
                                                  • Opcode Fuzzy Hash: 6c6eb5024497b7099948d6fa03faf251760030852925ab041fa65ee9e74f37cf
                                                  • Instruction Fuzzy Hash: AA3157366006114FC304CF3CAC8026AFBE5EBC9666F44067DEA89C3391DE75DD0A87A1
                                                  Function 10018880 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #823.MFC42(?,00000058,00000000,00000000,0000005C,00000000,10017EFB,?,?,?,?,?,?,00000000), ref: 100188AB
                                                  • GetDC.USER32(00000000), ref: 10018906
                                                  • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 10018913
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10018926
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 1001892F
                                                  • DeleteObject.GDI32(00000000), ref: 10018936
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823BitmapBitsCompatibleCreateDeleteObjectRelease
                                                  • String ID:
                                                  • API String ID: 1489246511-0
                                                  • Opcode ID: 232e81e2328815f38dc1846d181fe650c2457a96f065839fb43a6e4f516f74b8
                                                  • Instruction ID: c876030701d45069bbaf201adcf95ae34e10d61091fae5aa7b66ba3b571a8907
                                                  • Opcode Fuzzy Hash: 232e81e2328815f38dc1846d181fe650c2457a96f065839fb43a6e4f516f74b8
                                                  • Instruction Fuzzy Hash: 8D31C6716057018FD324CF69CCC4B66FBE6FF95308F188A6DE5498B291D770A649CB50
                                                  Function 100190D0 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #823.MFC42(?,0000005C,00000000,00000000,00000060,00000000,10018C0A,?,?,00000001), ref: 100190FB
                                                  • GetDC.USER32(00000000), ref: 10019156
                                                  • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 10019163
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10019176
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 1001917F
                                                  • DeleteObject.GDI32(00000000), ref: 10019186
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823BitmapBitsCompatibleCreateDeleteObjectRelease
                                                  • String ID:
                                                  • API String ID: 1489246511-0
                                                  • Opcode ID: 03719f9758a2d591c926ce4265d16c4aa9b88d838764e5f7700e274da321e404
                                                  • Instruction ID: ef3514cd601d8d145b1532123b0b9183357df65c168f27f3a63bee1d8f630a14
                                                  • Opcode Fuzzy Hash: 03719f9758a2d591c926ce4265d16c4aa9b88d838764e5f7700e274da321e404
                                                  • Instruction Fuzzy Hash: 9631F3712057029FD324CF69CC88B5BFBE6FF89344F188A6DE5498B291E770A549CB90
                                                  Function 10003040 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 101stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strncmp
                                                  • String ID: false$null$true
                                                  • API String ID: 1114863663-2913297407
                                                  • Opcode ID: 29fc03d927f4990f9deee4de2075054b0a23c521322f26a7bad3f614dc9c00b1
                                                  • Instruction ID: 7167e9e769ba6135d60cc1a6496bebb708acee3502ca371ae9d67c74dee1439d
                                                  • Opcode Fuzzy Hash: 29fc03d927f4990f9deee4de2075054b0a23c521322f26a7bad3f614dc9c00b1
                                                  • Instruction Fuzzy Hash: A621B77A6052156AE311DB19FC41ACB77DCDFC52B0F06C42AF54886209E330E9878B91
                                                  Function 100084B0 Relevance: 9.1, APIs: 6, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 10008505
                                                  • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000850C
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 10008539
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000854C
                                                  • #825.MFC42(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 1000859A
                                                  • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?,000000FF,10008498), ref: 100085BD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825$CloseHandle$D@2@@std@@D@std@@Tidy@?$basic_string@U?$char_traits@V?$allocator@
                                                  • String ID:
                                                  • API String ID: 2070391518-0
                                                  • Opcode ID: 7d5be02d86cc8920d62cf2d17b5541d9373f0ddaeac744c5cd82ef4eaf4a695e
                                                  • Instruction ID: 37eccab93eae1f9570d16d686a1212c04e0715a42fba5b1868afdc0cba55ac79
                                                  • Opcode Fuzzy Hash: 7d5be02d86cc8920d62cf2d17b5541d9373f0ddaeac744c5cd82ef4eaf4a695e
                                                  • Instruction Fuzzy Hash: 1241ACB5600B058FD704CF68C881B96F7E4FF49750F004A2DE6AA87381EB70BA54CB81
                                                  Function 10009A60 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009AAA
                                                  • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009ABB
                                                  • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009ACC
                                                  • #825.MFC42(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009AF5
                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009B2A
                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,100096F0,00000001,?,?,00000000,00000065,000000FF,10008780,00000001,00000001), ref: 10009B3D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: D@2@@std@@D@std@@Refcnt@?$basic_string@U?$char_traits@V?$allocator@$CloseHandle$#825
                                                  • String ID:
                                                  • API String ID: 3981934315-0
                                                  • Opcode ID: 8b2b594f4aed80e73da269208a1a90eec485e5e9e688899508e82b25adb2269c
                                                  • Instruction ID: 3f5e6c1ba8cdd1ffd5d3919399f724efa296fb395ea5f4111f29f1806b4e9a25
                                                  • Opcode Fuzzy Hash: 8b2b594f4aed80e73da269208a1a90eec485e5e9e688899508e82b25adb2269c
                                                  • Instruction Fuzzy Hash: A53182747006019FE744CF29C980996B7E9FF85790B14866DF95ACB795EB30EC40CBA0
                                                  Function 1002CC90 Relevance: 9.1, APIs: 6, Instructions: 88sleepthreadnetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _snprintf.MSVCRT ref: 1002CCCF
                                                    • Part of subcall function 1002CBD0: inet_addr.WS2_32(?), ref: 1002CBDA
                                                  • recv.WS2_32(00000000,?,00000002,00000000), ref: 1002CD31
                                                  • CreateThread.KERNEL32(00000000,00000000,1002CBF0,?,00000000,?), ref: 1002CD80
                                                  • CloseHandle.KERNEL32(00000000), ref: 1002CD94
                                                  • Sleep.KERNEL32(000003E8), ref: 1002CD9D
                                                  • closesocket.WS2_32(00000000), ref: 1002CDB1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateHandleSleepThread_snprintfclosesocketinet_addrrecv
                                                  • String ID:
                                                  • API String ID: 1576220768-0
                                                  • Opcode ID: 3ed76afae63bd77b9469e330905fbf0bdfa967c9ef6ae64f5e6e6921360409aa
                                                  • Instruction ID: 3832f123820d6385e3406e7afcf7b674c9c479a295281de009cd65d3e655e3a2
                                                  • Opcode Fuzzy Hash: 3ed76afae63bd77b9469e330905fbf0bdfa967c9ef6ae64f5e6e6921360409aa
                                                  • Instruction Fuzzy Hash: B031EF78104345ABE310CF54DC80F9B7BE9FB85740F504A2DF698932A0D774E8068BA2
                                                  Function 1001A2D0 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: malloc$Tablefree
                                                  • String ID:
                                                  • API String ID: 2903114640-0
                                                  • Opcode ID: 86186fa1577d632ba100a165714a33ce1776c10956f63b3ae715142a8fd396b4
                                                  • Instruction ID: a9296b02b71586264760a7329d97d0c6985c525f31e5c152af02a019acfba51a
                                                  • Opcode Fuzzy Hash: 86186fa1577d632ba100a165714a33ce1776c10956f63b3ae715142a8fd396b4
                                                  • Instruction Fuzzy Hash: 8C1144736022246BD315CA1EBC81BDFB3D8FBC1661F14052AF919CB240DB25EE8586E2
                                                  Function 1002BE50 Relevance: 9.1, APIs: 6, Instructions: 53processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1002BE71
                                                  • Process32First.KERNEL32(00000000,00000000), ref: 1002BE8B
                                                  • _strcmpi.MSVCRT ref: 1002BEA7
                                                  • Process32Next.KERNEL32(00000000,?), ref: 1002BEB6
                                                  • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1002BEC0
                                                  • CloseHandle.KERNEL32(00000000,?,77068400), ref: 1002BED3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32_strcmpi
                                                  • String ID:
                                                  • API String ID: 2975077063-0
                                                  • Opcode ID: f37c4a8f1e108d711664304603285570b95f9b7a6bb29a86161c82b5fdfa154d
                                                  • Instruction ID: 6ed28245b0ed33383696f76e5f749c63f4d2afb73675a39276b596060f345c94
                                                  • Opcode Fuzzy Hash: f37c4a8f1e108d711664304603285570b95f9b7a6bb29a86161c82b5fdfa154d
                                                  • Instruction Fuzzy Hash: 6F01B17A1016116EE750EB24EC80ADF73D9FB85361F854929FE5882280DB3CA91986B2
                                                  Function 10025120 Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 49stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wsprintfA.USER32 ref: 1002516A
                                                    • Part of subcall function 10014700: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyExA,?,?,0000005C), ref: 10014730
                                                    • Part of subcall function 10014700: GetProcAddress.KERNEL32(00000000), ref: 10014737
                                                    • Part of subcall function 10014700: #823.MFC42(?), ref: 10014763
                                                    • Part of subcall function 10014700: #823.MFC42(?,?), ref: 100147DA
                                                  • lstrlenA.KERNEL32(?), ref: 10025196
                                                  • lstrlenA.KERNEL32(?), ref: 100251A2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823lstrlen$AddressLibraryLoadProcwsprintf
                                                  • String ID: 3389$PortNumber$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
                                                  • API String ID: 2676723305-3034822107
                                                  • Opcode ID: 7f5ced2abaf28d6a0e097666379c6e9357b4f52c088902de9ea30d09b51053f4
                                                  • Instruction ID: 061420629a075d59f5b7cfb9f750025336c4247fd96fdd8a0a576d78228b840e
                                                  • Opcode Fuzzy Hash: 7f5ced2abaf28d6a0e097666379c6e9357b4f52c088902de9ea30d09b51053f4
                                                  • Instruction Fuzzy Hash: 500126B13002143BE7249624DC42FFB729AEFC8314F40483CFB09A7280DA79AD4586A6
                                                  Function 1002E1A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: getenvmallocsscanf
                                                  • String ID: %ld%c$JPEGMEM$x
                                                  • API String ID: 677315340-3402169052
                                                  • Opcode ID: 51bb1425e790fe1ab60bb88dbdaf94a56eb7f25a249e146d69bb9b0f443e83b3
                                                  • Instruction ID: 16afc6eec302963a620b85da9597a3469dd62724173291d8bf359396d7a2c7e7
                                                  • Opcode Fuzzy Hash: 51bb1425e790fe1ab60bb88dbdaf94a56eb7f25a249e146d69bb9b0f443e83b3
                                                  • Instruction Fuzzy Hash: 194159B04447868FD320CF19E880957FBF8FF55344B904A6EE19A8B651E776EA09CF81
                                                  Function 1000EC20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000EC48
                                                    • Part of subcall function 1000EBE0: GetVersionExA.KERNEL32 ref: 1000EBF3
                                                  • ShellExecuteExA.SHELL32(0000003C), ref: 1000ECE7
                                                  • ExitProcess.KERNEL32 ref: 1000ECF5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExecuteExitFileModuleNameProcessShellVersion
                                                  • String ID: <$runas
                                                  • API String ID: 984616556-1187129395
                                                  • Opcode ID: 055419b18546cdcfc99590fdfe4538166d2722b1efe28abce20511eaa6e0436d
                                                  • Instruction ID: 58093e764983421ad01b0a1b6f67e19a22832b479dc2aa238072ac513714f8ba
                                                  • Opcode Fuzzy Hash: 055419b18546cdcfc99590fdfe4538166d2722b1efe28abce20511eaa6e0436d
                                                  • Instruction Fuzzy Hash: 0F21C3711087449FE314DB68C8147ABB7D5FBC8350F400A2DEB9A932D0DBB59A09CB96
                                                  Function 10006F00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNEL32(?,00000000,00000000,?,10006B17,00000000), ref: 10006F50
                                                  • VirtualFree.KERNEL32(5D5E5FC0,00000000,00008000,?,10006B17,00000000), ref: 10006F77
                                                  • GetProcessHeap.KERNEL32(00000000,10006B17,?,10006B17,00000000), ref: 10006F80
                                                  • HeapFree.KERNEL32(00000000), ref: 10006F87
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Free$Heap$LibraryProcessVirtual
                                                  • String ID: Mw
                                                  • API String ID: 548792435-2910736759
                                                  • Opcode ID: 9122a4d877bc4996ce9b38b24836df32d42650a468764ef7b8b38eca707a3637
                                                  • Instruction ID: eb7fda223cfc753f1fed3d2c8a6d49319030a12fba69635afc4c9d01848446bd
                                                  • Opcode Fuzzy Hash: 9122a4d877bc4996ce9b38b24836df32d42650a468764ef7b8b38eca707a3637
                                                  • Instruction Fuzzy Hash: E8112A756007129BE720CF69DC84F57B3E9BF48790F154A28F56AD7694DB30F8418B60
                                                  Function 10009E80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteExA.SHELL32 ref: 10009EC1
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009ED2
                                                  • CloseHandle.KERNEL32(?), ref: 10009EDD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExecuteHandleObjectShellSingleWait
                                                  • String ID: <$@
                                                  • API String ID: 3837156514-1426351568
                                                  • Opcode ID: a256fbbcab775a1f3604715199f882c7f0444da02567230ad93e6343b4ac91f9
                                                  • Instruction ID: 4f3a71a7022bf43642dcc1f3ab8c414678e0bae02fb7ae8385496add38081c6f
                                                  • Opcode Fuzzy Hash: a256fbbcab775a1f3604715199f882c7f0444da02567230ad93e6343b4ac91f9
                                                  • Instruction Fuzzy Hash: 86F08C715083409BE704CF28C848A5BBBE4BFC4350F084A2DF289972A0DBB6DA44CB96
                                                  Function 10010B70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15librarysleeploaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10016C10,?,?,?,?,?,10098A80,000000FF), ref: 10010B7D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10010B84
                                                  • Sleep.KERNEL32(00000096,?,?,?,?,?,10098A80,000000FF), ref: 10010B97
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProcSleep
                                                  • String ID: KERNEL32.dll$WaitForSingleObject
                                                  • API String ID: 188063004-3889371928
                                                  • Opcode ID: 1505c6372a6b5f5a7e2015909548fb5756e583b9251caf1c5d531eae02cc10d3
                                                  • Instruction ID: 2f25d5efcf6a9ea09ffc80339e96632aadd97f0a1fca395ea0de9424a810f75f
                                                  • Opcode Fuzzy Hash: 1505c6372a6b5f5a7e2015909548fb5756e583b9251caf1c5d531eae02cc10d3
                                                  • Instruction Fuzzy Hash: 67D0C7790041256BEA2457A4AD4CDEA3654FB493317040744F525512D1CE609C40C770
                                                  Function 100069F0 Relevance: 7.6, APIs: 6, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ea42a18e97e3a82291b809ecb384a12a17950c0088f0337ebea46ea9f423f3cf
                                                  • Instruction ID: c650882347852e35ffcbb4eb416d17d698f5a118f4f7130cf3c30c4ac611ed04
                                                  • Opcode Fuzzy Hash: ea42a18e97e3a82291b809ecb384a12a17950c0088f0337ebea46ea9f423f3cf
                                                  • Instruction Fuzzy Hash: E141D5B27003056FF704DF689C81B6777D9FB48395F24452AFA05DB686DB71E80487A0
                                                  Function 10029410 Relevance: 7.6, APIs: 5, Instructions: 98stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10005230: #823.MFC42 ref: 1000525B
                                                    • Part of subcall function 10005230: #823.MFC42(?), ref: 1000526A
                                                  • lstrlenA.KERNEL32(?), ref: 1002945B
                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 10029478
                                                  • lstrlenA.KERNEL32(?), ref: 100294B8
                                                  • LocalSize.KERNEL32(00000000), ref: 100294FC
                                                  • LocalFree.KERNEL32(00000000), ref: 1002950E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$#823lstrlen$AllocFreeSize
                                                  • String ID:
                                                  • API String ID: 933119475-0
                                                  • Opcode ID: de1fdc764fb6d7af8fcdc614c3befe84ce97db36611e3d77dc9292dca938265c
                                                  • Instruction ID: baa6dfe5b62ae598e36d45df49c35083ba28316c69925bc8e8f86ac0ab45f9a0
                                                  • Opcode Fuzzy Hash: de1fdc764fb6d7af8fcdc614c3befe84ce97db36611e3d77dc9292dca938265c
                                                  • Instruction Fuzzy Hash: A331B0756083418FD310DF18C884B5BB7E0FB89750F940A1CF896A7390DB34E906CBA2
                                                  Function 100172E0 Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?), ref: 10017309
                                                  • CloseHandle.KERNEL32(?), ref: 10017316
                                                  • #823.MFC42(00000110), ref: 1001733A
                                                  • #823.MFC42(00000110), ref: 1001736B
                                                    • Part of subcall function 10018A50: LoadCursorA.USER32(00000000,00000000), ref: 10018B13
                                                  • #823.MFC42(00000110), ref: 10017392
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$CloseCursorHandleLoadObjectSingleWait
                                                  • String ID:
                                                  • API String ID: 1032503192-0
                                                  • Opcode ID: 4d1a71cbad2e8490f7bdd0b7b2d5e33d221c358bfa213511aab1859ad13583ec
                                                  • Instruction ID: 5a9ae8d5125f4473acdfdc2c571faec41a6d57683b79152a5b2af942287cdb62
                                                  • Opcode Fuzzy Hash: 4d1a71cbad2e8490f7bdd0b7b2d5e33d221c358bfa213511aab1859ad13583ec
                                                  • Instruction Fuzzy Hash: 0E31A0746447419BE724CF348C06BCABAE1FF49700F000A2DF6AA9B2C1D7B1E684C792
                                                  Function 10019260 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDIBSection.GDI32(10019096,?,00000000,10019096,00000000,00000000), ref: 100192BE
                                                  • SelectObject.GDI32(?,00000000), ref: 100192CD
                                                  • BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 100192EA
                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 1001930A
                                                  • DeleteObject.GDI32(?), ref: 10019332
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object$CreateDeleteSectionSelect
                                                  • String ID:
                                                  • API String ID: 3188413882-0
                                                  • Opcode ID: c47ec7ba65a712e0d1f3a3476198e4529758ddf825267e59d987f02d8c4fa404
                                                  • Instruction ID: 171a801546ab23d17400ea9514ceaa77a6b5348b798b605dacd974edddfe344e
                                                  • Opcode Fuzzy Hash: c47ec7ba65a712e0d1f3a3476198e4529758ddf825267e59d987f02d8c4fa404
                                                  • Instruction Fuzzy Hash: C831D2B6200705AFD214DF59CC84E27F7AAFB88600F148A1EFA5987791C771F9008BA0
                                                  Function 100215E0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #825.MFC42(?,?), ref: 10021631
                                                  • #825.MFC42(?), ref: 1002168E
                                                  • ??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 100216A2
                                                  • ??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 100216C5
                                                  • #825.MFC42(00000000), ref: 100216D0
                                                    • Part of subcall function 10022900: #825.MFC42(?,?,1012C4D0,?,1002162E,?), ref: 10022922
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #825$Lockit@std@@$??0_??1_
                                                  • String ID:
                                                  • API String ID: 3320149174-0
                                                  • Opcode ID: 44884d60d9ebe940b958c19c5d6e14871c38c2eac28a656e2b76ce7b181ef5d9
                                                  • Instruction ID: d0047ffbaccaa5ad6d99a9ed72ec1d055d3ab89d0cdd8ff84e98db7356d77a2b
                                                  • Opcode Fuzzy Hash: 44884d60d9ebe940b958c19c5d6e14871c38c2eac28a656e2b76ce7b181ef5d9
                                                  • Instruction Fuzzy Hash: 2531AEB96007559FC710DFA8E8C485EB3E9FB9875079A481DE85AC3A00EB34FD448B92
                                                  Function 10012B00 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InternetOpen
                                                  • String ID: y$y
                                                  • API String ID: 2038078732-2085659379
                                                  • Opcode ID: dc452fb532a8b3440562dfce708e2233d078e41fe58a17104d6ab9b3988a5d1b
                                                  • Instruction ID: b3f128dd8a4f2f937591d2b39a566a4fd65ce5111e4adbe3f1b9da6999f925d3
                                                  • Opcode Fuzzy Hash: dc452fb532a8b3440562dfce708e2233d078e41fe58a17104d6ab9b3988a5d1b
                                                  • Instruction Fuzzy Hash: F0212C796082145BD200DB68BC95AAF77D9EBC4610F440439FD49D7341DBB5EA0982E7
                                                  Function 10011A20 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #6662.MFC42(0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468,00000000,100114A3,00000000,00000000,00000000), ref: 10011A82
                                                  • #4278.MFC42(1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468,00000000,100114A3), ref: 10011A9E
                                                  • #6883.MFC42(?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468), ref: 10011AB2
                                                  • #800.MFC42(?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798,000000FF,10011468), ref: 10011AC3
                                                  • #6662.MFC42(0000005C,00000001,?,00000000,1001150F,-00000002,00000000,0000005C,-00000002,00000000,00000000,?,00000001,00000000,?,10098798), ref: 10011AD0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #6662$#4278#6883#800
                                                  • String ID:
                                                  • API String ID: 2113711092-0
                                                  • Opcode ID: 774a556c8fd2fdb14a6c748a972ff41b9b256d90f559a08a3d16b273acc7db09
                                                  • Instruction ID: f4fe6630835c94391bfcc8c2be099bdb1318b56aaed041f5013be16c963cdde2
                                                  • Opcode Fuzzy Hash: 774a556c8fd2fdb14a6c748a972ff41b9b256d90f559a08a3d16b273acc7db09
                                                  • Instruction Fuzzy Hash: A611F0363016159BDB18DE29DC45BAEBB95EF846B0F81072CF82A8B2C0DA34EC458691
                                                  Function 10009540 Relevance: 7.6, APIs: 5, Instructions: 66memoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNEL32(?,?,00000001,00000000,?,?,00000065,1000878E,00000001,00000001,?,00000001,00000001,00000001), ref: 1000956E
                                                  • LocalAlloc.KERNEL32(00000040,00019000,?,?,00000065,1000878E), ref: 10009583
                                                  • ReadFile.KERNEL32(?,00000009,00018FF7,?,00000000,?,?,00000065,1000878E), ref: 100095B0
                                                  • LocalFree.KERNEL32(00000000,?,?,00000065,1000878E), ref: 100095CD
                                                  • LocalFree.KERNEL32(00000000,?,?,00000065,1000878E), ref: 100095E7
                                                    • Part of subcall function 10009600: CloseHandle.KERNEL32(?,00000000,100095E2,?,?,00000065,1000878E), ref: 1000960F
                                                    • Part of subcall function 10009600: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000001,00000000,100095E2,?,?,00000065,1000878E), ref: 1000963C
                                                    • Part of subcall function 10009600: #825.MFC42(00000001,?,?,00000065,1000878E), ref: 10009643
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$FileFree$#825AllocCloseD@2@@std@@D@std@@HandlePointerReadTidy@?$basic_string@U?$char_traits@V?$allocator@
                                                  • String ID:
                                                  • API String ID: 1358099757-0
                                                  • Opcode ID: 63df56e09b5848d09f2d368d6da1cb594e9dd00ae11557fb136ebf9b1cc4f06e
                                                  • Instruction ID: c1002f4ed646788d97939a754a35c43ee484aff7721c1be338d8eb9f0dbbf468
                                                  • Opcode Fuzzy Hash: 63df56e09b5848d09f2d368d6da1cb594e9dd00ae11557fb136ebf9b1cc4f06e
                                                  • Instruction Fuzzy Hash: 911172B63007029BE310CF69DC84B97B7E9FB88361F148A29F655C7281C730E815CB65
                                                  Function 10016C50 Relevance: 7.6, APIs: 5, Instructions: 63windowsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10010B70: LoadLibraryA.KERNEL32(KERNEL32.dll,WaitForSingleObject,?,10016C10,?,?,?,?,?,10098A80,000000FF), ref: 10010B7D
                                                    • Part of subcall function 10010B70: GetProcAddress.KERNEL32(00000000), ref: 10010B84
                                                    • Part of subcall function 10010B70: Sleep.KERNEL32(00000096,?,?,?,?,?,10098A80,000000FF), ref: 10010B97
                                                    • Part of subcall function 10016FB0: GetDeviceCaps.GDI32(?,00000076), ref: 10016FE0
                                                    • Part of subcall function 10016FB0: GetDeviceCaps.GDI32(?,00000075), ref: 10016FF3
                                                  • SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 10016CA5
                                                  • SendMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 10016CB8
                                                  • Sleep.KERNEL32(000000C8), ref: 10016CF5
                                                    • Part of subcall function 10016640: InterlockedExchange.KERNEL32(?,00000000), ref: 1001666A
                                                    • Part of subcall function 10016640: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,10098A71,000000FF), ref: 10016675
                                                    • Part of subcall function 10016640: CloseHandle.KERNEL32(?,?,?,?,?,?,10098A71,000000FF), ref: 10016682
                                                    • Part of subcall function 10016640: #823.MFC42(000001F0), ref: 100166B0
                                                    • Part of subcall function 10016640: InterlockedExchange.KERNEL32(?,00000001), ref: 1001676D
                                                  • SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 10016CD4
                                                  • SendMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 10016CE7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CapsDeviceExchangeInfoInterlockedMessageParametersSendSleepSystem$#823AddressCloseHandleLibraryLoadObjectProcSingleWait
                                                  • String ID:
                                                  • API String ID: 2254935227-0
                                                  • Opcode ID: 9506a06792d0069b6a6458655b0cf65f29beff7c4f91902517e3ce6a3822e8cd
                                                  • Instruction ID: d507dce4c51d5113e1dde7e79a99317680dafb16c6daa1e476697c3642f9f1bd
                                                  • Opcode Fuzzy Hash: 9506a06792d0069b6a6458655b0cf65f29beff7c4f91902517e3ce6a3822e8cd
                                                  • Instruction Fuzzy Hash: F811E13438431969F960EB244C42FAA7786DF89B50F20013ABB49AF2D3C9F0F884D568
                                                  Function 10022440 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #823.MFC42(00000018,?,?,?,?,100215C5,100215A5,?,?,100215A5), ref: 1002245E
                                                  • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,100215A5), ref: 10022478
                                                  • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,100215A5), ref: 100224AA
                                                  • #825.MFC42(00000000,?,?,?,?,?,100215A5), ref: 100224B5
                                                  • #823.MFC42(00000018,?,?,?,?,?,100215A5), ref: 100224C5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823Lockit@std@@$#825??0_??1_
                                                  • String ID:
                                                  • API String ID: 2469163743-0
                                                  • Opcode ID: 5983a31d6c0b2385020132a838b852cedda4d359ec4bf03b4e395dbc7ee0bfcc
                                                  • Instruction ID: b06e2967b2ca456887b4d405c0e424707d268abfb114cbb194693c0cad6d653d
                                                  • Opcode Fuzzy Hash: 5983a31d6c0b2385020132a838b852cedda4d359ec4bf03b4e395dbc7ee0bfcc
                                                  • Instruction Fuzzy Hash: 7511BCB1504385AFC300DF99E8C0856FBE5FF68300B65806EE589C7B22D774B889CB92
                                                  Function 10024A90 Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WTSQuerySessionInformationW.WTSAPI32 ref: 10024AB4
                                                  • lstrcpyW.KERNEL32(?,00000000,00000000), ref: 10024AD4
                                                  • WTSFreeMemory.WTSAPI32(?), ref: 10024ADF
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000200,?,000000FF,00000000,00000104,00000000,00000000,?), ref: 10024B18
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 10024B2B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$ByteCharFreeInformationMemoryMultiQuerySessionWide
                                                  • String ID:
                                                  • API String ID: 2394411120-0
                                                  • Opcode ID: 1b9fc8bdf879ab64dffc80c6641e543ed05e3d8dc88176b00b51a123d4ec99f8
                                                  • Instruction ID: 955f71c2f156101e58c3954c60e55afc292817027518ed639cbb0e0337d6e5ae
                                                  • Opcode Fuzzy Hash: 1b9fc8bdf879ab64dffc80c6641e543ed05e3d8dc88176b00b51a123d4ec99f8
                                                  • Instruction Fuzzy Hash: C61165751183417BE310CB58CC45FEB73E8BBC8B10F044A1CF659962C0E674A5088B62
                                                  Function 1001A380 Relevance: 7.6, APIs: 5, Instructions: 52filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: fgets$fclosefopenstrncpy
                                                  • String ID:
                                                  • API String ID: 2591305919-0
                                                  • Opcode ID: a718de1b11d99e9b2c0f780aac57e273de9cb2023d6a72551b98dfecfbdeb29f
                                                  • Instruction ID: c7a0ab83454999cfab7ee9e724b1213e8b3a12304a834880fe6d6711e96d4ced
                                                  • Opcode Fuzzy Hash: a718de1b11d99e9b2c0f780aac57e273de9cb2023d6a72551b98dfecfbdeb29f
                                                  • Instruction Fuzzy Hash: DD01DF726002256BE301D728AD81BDB37DCEF88315F950424F98896244EB79EA9486A2
                                                  Function 10011980 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #858.MFC42(-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119AB
                                                  • #6874.MFC42(0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119B4
                                                  • #6874.MFC42(0000002D,0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119C5
                                                  • #6874.MFC42(00000020,0000002D,0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119D6
                                                  • #800.MFC42(00000020,0000002D,0000002F,-00000002,00000002,00000000,00000000,10098778,000000FF,10011D9B,?,?,100FB4F0,100FA644), ref: 100119E7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #6874$#800#858
                                                  • String ID:
                                                  • API String ID: 833685189-0
                                                  • Opcode ID: 8fba9978fbcacef4305ec62f9d20de837d23ef3cff7f8932171e12680254217a
                                                  • Instruction ID: 01b43e94da0ea2eb4e39674b02d587f3c921b09ce4ba7a4e708dea5c2d38b77a
                                                  • Opcode Fuzzy Hash: 8fba9978fbcacef4305ec62f9d20de837d23ef3cff7f8932171e12680254217a
                                                  • Instruction Fuzzy Hash: A401F471208B82AAC704CF54EA15F9AFBD5EB90B60F00063EF0A5476D1DB74E9088392
                                                  Function 1001FEE0 Relevance: 7.5, APIs: 5, Instructions: 32serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001,00000000,1001FB22,1011EC82,?,?,?,?,?,?,?,?), ref: 1001FEE7
                                                  • OpenServiceA.ADVAPI32(00000000,?,00020000,?,?,?,?,?,?,?,?), ref: 1001FF00
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 1001FF0B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: OpenService$CloseHandleManager
                                                  • String ID:
                                                  • API String ID: 4136619037-0
                                                  • Opcode ID: 9b0dc5b076fce1cf9a16b774a2a7847931855da1db67cd2e176fee473d4c4fbc
                                                  • Instruction ID: efb21d9ce1343172679c2ebe97ca72b077adbb798532605da40d3010ccc8a93c
                                                  • Opcode Fuzzy Hash: 9b0dc5b076fce1cf9a16b774a2a7847931855da1db67cd2e176fee473d4c4fbc
                                                  • Instruction Fuzzy Hash: 30E09236219231A7E2217729BC88FDB67A8EFD9791F0B0156F608DA190C6A0D88245E8
                                                  Function 10027260 Relevance: 7.5, APIs: 5, Instructions: 31serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,?,10028552), ref: 10027267
                                                  • OpenServiceA.ADVAPI32(00000000,?,00010010,?,00000065), ref: 10027280
                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000,?,00000065), ref: 10027297
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000065), ref: 1002729E
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000065), ref: 100272A1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandleOpen$ManagerStart
                                                  • String ID:
                                                  • API String ID: 1485051382-0
                                                  • Opcode ID: de2cff0e2183aa8c2048c1ea4d6f503d246575146b3d388905ddcafbe7147248
                                                  • Instruction ID: a991dfd3618a091cf8bced06e1e14c92db115e9186b32fce010f6c8dd9d2edbc
                                                  • Opcode Fuzzy Hash: de2cff0e2183aa8c2048c1ea4d6f503d246575146b3d388905ddcafbe7147248
                                                  • Instruction Fuzzy Hash: 1AE09B35256621BBF22167149CC5FAB2678FB8DBD0F150205F608961C0CB609C0141AD
                                                  Function 10004F20 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                  • CancelIo.KERNEL32(?), ref: 10004F57
                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                  • closesocket.WS2_32(?), ref: 10004F73
                                                  • SetEvent.KERNEL32(?), ref: 10004F80
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                  • String ID:
                                                  • API String ID: 1486965892-0
                                                  • Opcode ID: 6626a22e340417a29348b83b411036a0a6be5876ad5ce8627d14265979501e30
                                                  • Instruction ID: 7b5b089ba35ea6fa801320ef26441ee9f6e0eb5430616a3962164302b2279ec7
                                                  • Opcode Fuzzy Hash: 6626a22e340417a29348b83b411036a0a6be5876ad5ce8627d14265979501e30
                                                  • Instruction Fuzzy Hash: 81F01275214711AFE6248F64CC88FD777A8BF45711F108B1DF6AE462D0CB70A4488755
                                                  Function 10005B80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,WideCharToMultiByte,?,00000000,00000000), ref: 10005B96
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10005B9D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: KERNEL32.dll$WideCharToMultiByte
                                                  • API String ID: 2574300362-2634761684
                                                  • Opcode ID: 3f2dff838d6c50b6e35792f9c3f23f1c7ba8e3bb5a943dbf87fe4b46237b9eb9
                                                  • Instruction ID: 11a70ebfe6614348c4627575f714f8bac5bc37e03cfb6a5d127c6c7937c6bce2
                                                  • Opcode Fuzzy Hash: 3f2dff838d6c50b6e35792f9c3f23f1c7ba8e3bb5a943dbf87fe4b46237b9eb9
                                                  • Instruction Fuzzy Hash: 2541257250421A8FDB18CE2CC8549AFBBD5FBC4354F154A2DF9A6D3280DA70AD0ACB91
                                                  Function 100108B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100108E8
                                                  • Sleep.KERNEL32(000004D2), ref: 1001098C
                                                    • Part of subcall function 10010790: CloseHandle.KERNEL32(00000000), ref: 10010893
                                                  • DeleteFileA.KERNEL32(?), ref: 1001094D
                                                    • Part of subcall function 10010790: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100107C2
                                                    • Part of subcall function 10010790: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10010837
                                                    • Part of subcall function 10010790: GetFileSize.KERNEL32(00000000,00000000), ref: 10010846
                                                    • Part of subcall function 10010790: #823.MFC42(00000000), ref: 1001084F
                                                    • Part of subcall function 10010790: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10010862
                                                    • Part of subcall function 10010790: #825.MFC42(00000000), ref: 1001088A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$DirectorySystem$#823#825CloseCreateDeleteHandleReadSizeSleep
                                                  • String ID: .key
                                                  • API String ID: 3115437274-343438762
                                                  • Opcode ID: a96574d81c46762344fc3343623d057d93ebf2ababc3c40e8b4745195a2ba852
                                                  • Instruction ID: 6c8f07c80318120aef5ae7d44ab656afb01d193eb1c0889538d79381634ba695
                                                  • Opcode Fuzzy Hash: a96574d81c46762344fc3343623d057d93ebf2ababc3c40e8b4745195a2ba852
                                                  • Instruction Fuzzy Hash: 1E210775B046540BE719D634889076A7BC5FBC1330F58031AF6978B2C2CEF898888755
                                                  Function 10007850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32 ref: 10007877
                                                  • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 100078ED
                                                  • CloseHandle.KERNEL32(00000000), ref: 10007917
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateFileFolderHandlePathSpecial
                                                  • String ID: p
                                                  • API String ID: 3113538180-2181537457
                                                  • Opcode ID: 5da1870f2322d6a31bcdac28cb17ebf9f43366c6ecd2797be473c450de5ccda1
                                                  • Instruction ID: fb9301c769810b0d049b01ddbf7940714647d0c15556b6550ef7852ede3c4a13
                                                  • Opcode Fuzzy Hash: 5da1870f2322d6a31bcdac28cb17ebf9f43366c6ecd2797be473c450de5ccda1
                                                  • Instruction Fuzzy Hash: CB210A716006041FE718CA389C46BEB76C5FBC4330F588B2DF96ACB2D1DAF489098750
                                                  Function 10001410 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(WINMM.dll,waveOutWrite), ref: 1000141E
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10001425
                                                    • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutOpen), ref: 100014C9
                                                    • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014D2
                                                    • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutPrepareHeader), ref: 100014E2
                                                    • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014E5
                                                    • Part of subcall function 100014B0: LoadLibraryA.KERNEL32(WINMM.dll,waveOutGetNumDevs), ref: 100014F5
                                                    • Part of subcall function 100014B0: GetProcAddress.KERNEL32(00000000), ref: 100014F8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: WINMM.dll$waveOutWrite
                                                  • API String ID: 2574300362-665518901
                                                  • Opcode ID: 4a4c6bc64acc4bfc1f0c5e94051bfa256714ece8f52ffe926b99e450b8b27139
                                                  • Instruction ID: 94ba89aa586d5954ea77ca1480e0960dd09743874461cbc46f4ab6b518109010
                                                  • Opcode Fuzzy Hash: 4a4c6bc64acc4bfc1f0c5e94051bfa256714ece8f52ffe926b99e450b8b27139
                                                  • Instruction Fuzzy Hash: C211A0762043048FEB08DF68D8C89A6BBE5FB88380B15855DFE468B346DB71EC01DB20
                                                  Function 10009D80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,00000065,?,00000001,00000001,00000001), ref: 10009DAA
                                                  • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000065,?,00000001,00000001,00000001), ref: 10009DC6
                                                  • SetFilePointer.KERNEL32 ref: 10009DE4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Pointer$Write
                                                  • String ID: p
                                                  • API String ID: 3847668363-2181537457
                                                  • Opcode ID: aa322e81eecda5844740ab48266e82d2f9faeacbe78758d31681d1f169d9bd49
                                                  • Instruction ID: 1a9338856e1de5b0d7c3f8fb7aa3c1ae0f192f66fa92f10234f7d2b8d6558fe2
                                                  • Opcode Fuzzy Hash: aa322e81eecda5844740ab48266e82d2f9faeacbe78758d31681d1f169d9bd49
                                                  • Instruction Fuzzy Hash: 811127B5608341ABE210DB28CC85F9BB7E9FBD8714F108A0CF99893280D674A9058BA1
                                                  Function 100048B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10001B80: InitializeCriticalSection.KERNEL32(00000001,?,100048DA,00000000), ref: 10001B98
                                                  • WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateCriticalEventInitializeSectionStartup
                                                  • String ID: a$m
                                                  • API String ID: 1327880603-1958708294
                                                  • Opcode ID: e82e673a30c8e1feecafb6a2e90b74171136679baf06e6cd822636bf2ff756d4
                                                  • Instruction ID: fb24ae0377e714457c16f4a52ba150758387226036423692d2cdc97d3624b5ca
                                                  • Opcode Fuzzy Hash: e82e673a30c8e1feecafb6a2e90b74171136679baf06e6cd822636bf2ff756d4
                                                  • Instruction Fuzzy Hash: 87118B741087809EE321DB28C856BD6BBE4BF19B50F048A5DE4EE472C1DBB96008CB23
                                                  Function 100251B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #823.MFC42(00000014,0036EE80,00000000,?,?,?,?,?,?,?,?,?,?,?,10028BA4,?), ref: 100251B7
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 100251DB
                                                  • wsprintfA.USER32 ref: 10025201
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823GlobalMemoryStatuswsprintf
                                                  • String ID: @
                                                  • API String ID: 1983843647-2766056989
                                                  • Opcode ID: 63f7071330ac600b92378d4510e1265554b5e1253f2ac9ca7b9fd2b9706e8f2f
                                                  • Instruction ID: e659a0878aea45de871cacce06c98b870bddd198415f35e30e66b0b92fa53c9c
                                                  • Opcode Fuzzy Hash: 63f7071330ac600b92378d4510e1265554b5e1253f2ac9ca7b9fd2b9706e8f2f
                                                  • Instruction Fuzzy Hash: A7F082B96002106FE3109B1CDC45B9B7A95FBC4350F444838F94997351E634A91846A7
                                                  Function 10025D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #823.MFC42(00000014,772C0450,00000000,?,?,?,?,?,?,?,?,?,?,?,10028BC0,00000000), ref: 10025D57
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 10025D7B
                                                  • wsprintfA.USER32 ref: 10025DA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823GlobalMemoryStatuswsprintf
                                                  • String ID: @
                                                  • API String ID: 1983843647-2766056989
                                                  • Opcode ID: 912522f26b6e81d77af9f1481748523ecf74ece4db6b461692bec8ade180a37c
                                                  • Instruction ID: 7bbdfc3a448dec53f9fb492e10fae04b0240f024cccf1a4785962cf9395e6ffc
                                                  • Opcode Fuzzy Hash: 912522f26b6e81d77af9f1481748523ecf74ece4db6b461692bec8ade180a37c
                                                  • Instruction Fuzzy Hash: 7DF0A7B96002106FE3109B1CDC45B9B7A95FBC4350F448839F949D7361E534E91846E7
                                                  Function 1002C580 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 1002C581
                                                  • GetThreadDesktop.USER32(00000000,?,100175AC), ref: 1002C588
                                                    • Part of subcall function 1002BFA0: LoadLibraryA.KERNEL32(USER32.dll,OpenDesktopA,?,?,00000000,1002BD69,00000000), ref: 1002BFBB
                                                    • Part of subcall function 1002BFA0: GetProcAddress.KERNEL32(00000000), ref: 1002BFC4
                                                  • PostMessageA.USER32(0000FFFF,00000312,00000000,002E0003), ref: 1002C5B4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Thread$AddressCurrentDesktopLibraryLoadMessagePostProc
                                                  • String ID: Winlogon
                                                  • API String ID: 133172028-744610081
                                                  • Opcode ID: f7cb148bdac25c2e258a638ed0862bd888193de5a6fcd05194ea328f9758603d
                                                  • Instruction ID: 4bd65e08cae8a1964f3cf5e9f8944eb3b9e6919cb71b8dd3485ddd39b513e1ee
                                                  • Opcode Fuzzy Hash: f7cb148bdac25c2e258a638ed0862bd888193de5a6fcd05194ea328f9758603d
                                                  • Instruction Fuzzy Hash: 3DE0CD77E41A7517FA6167B87D4AFDA32089F10740F850270F509A9583D654FFC141D5
                                                  Function 100109B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CreateEventA,?,?,1000F32E,?,?,00000000,1001DC8E,?,100FA3E4,?), ref: 100109D0
                                                  • GetProcAddress.KERNEL32(00000000), ref: 100109D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: CreateEventA$KERNEL32.dll
                                                  • API String ID: 2574300362-2476775342
                                                  • Opcode ID: 469b438b5aded452e172ac3230856e7048f68a61c6940f547f20e5805d7e4c6b
                                                  • Instruction ID: 81657b418f3b05921348bdbd49973478ffcbca97394684bddc953fa459c75907
                                                  • Opcode Fuzzy Hash: 469b438b5aded452e172ac3230856e7048f68a61c6940f547f20e5805d7e4c6b
                                                  • Instruction Fuzzy Hash: 6CE08C756403206BE360DFA89C49F867A98EF48701F04881EF349E7281CAB0A840CB68
                                                  Function 10010A10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,CloseHandle,00000000,1000F45B,00000000,00000000,1001DDE5), ref: 10010A23
                                                  • GetProcAddress.KERNEL32(00000000), ref: 10010A2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: CloseHandle$KERNEL32.dll
                                                  • API String ID: 2574300362-2295661983
                                                  • Opcode ID: 2de6c06c0082ca299113b42d5527bf64b86f77828aa010fa56cfdb5699a9f8eb
                                                  • Instruction ID: cf30f3b007e41bfee70c41d9c59be6cb1b231e04fc18b526b816a338234f57c5
                                                  • Opcode Fuzzy Hash: 2de6c06c0082ca299113b42d5527bf64b86f77828aa010fa56cfdb5699a9f8eb
                                                  • Instruction Fuzzy Hash: F9C012B94112215FD724EFA4EC4C8D63A58FF44301348494DF55993211CF745840CBA0
                                                  Function 1002C040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(KERNEL32.dll,lstrlenA), ref: 1002C05A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 1002C061
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: KERNEL32.dll$lstrlenA
                                                  • API String ID: 2574300362-1796993502
                                                  • Opcode ID: edc774852e8e3706412007467209bf43f6aea4114b0a715b5a73b4a8eec03814
                                                  • Instruction ID: 67c29b826fcb9cbe513ae8f82be5c437f769f953f774e74eedc1823db7db72f9
                                                  • Opcode Fuzzy Hash: edc774852e8e3706412007467209bf43f6aea4114b0a715b5a73b4a8eec03814
                                                  • Instruction Fuzzy Hash: 8BC092F8401228AFDB20AFA4DCCCE8D3A68FB4534A3A84584FA15A1624DB381080AA64
                                                  Function 10003A30 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 233COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $u%04x
                                                  • API String ID: 0-2846719512
                                                  • Opcode ID: 1f6d89d554986cdd82fb0e2794668e6e0531af68cd05daea2109b4fdf41f23a8
                                                  • Instruction ID: 926f1c216a8361e60bc3445ae8a78ded31acc7b6cea92631c0d95b6b2ff4fbf9
                                                  • Opcode Fuzzy Hash: 1f6d89d554986cdd82fb0e2794668e6e0531af68cd05daea2109b4fdf41f23a8
                                                  • Instruction Fuzzy Hash: A8615D616083C64FF713CE289C4075BBBD9EF962D4F28C46DE9C6C724AE761854A8352
                                                  Function 10012190 Relevance: 6.2, APIs: 4, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #825.MFC42(?,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121D1
                                                  • #823.MFC42(00000000,00000000,?,?,?,1001112D,00000000,000000FF,00000000,000000FF,00000000,?), ref: 100121F6
                                                    • Part of subcall function 10012350: #540.MFC42(00000000,?,?,00000000), ref: 100123A6
                                                    • Part of subcall function 10012350: #540.MFC42(00000000,?,?,00000000), ref: 100123B3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #540$#823#825
                                                  • String ID:
                                                  • API String ID: 3261958014-0
                                                  • Opcode ID: 103bab456209c4811671d232b7a5f097ed692de7c0e3af0ad8c5a2e5f0cf1076
                                                  • Instruction ID: a9c2cb30c09e7b4867e33a31c74d4a8efcae7c34899988356dee3da11abaa517
                                                  • Opcode Fuzzy Hash: 103bab456209c4811671d232b7a5f097ed692de7c0e3af0ad8c5a2e5f0cf1076
                                                  • Instruction Fuzzy Hash: E041C4F6B002049BDB04CF58D88452AF795EFD4260B19C56EED09DF346DA32ECA5C7A0
                                                  Function 10016150 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #825.MFC42(00000000), ref: 10016211
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989E8,000000FF), ref: 10016221
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989E8,000000FF), ref: 100161BC
                                                    • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                  • #825.MFC42(?), ref: 100162A9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823#825$Open
                                                  • String ID:
                                                  • API String ID: 2004829228-0
                                                  • Opcode ID: aa64b701f648c89d4f83c9e67f152ad506cafdbe2fab3da718c306b810bf8497
                                                  • Instruction ID: c39e680ff1ef35157a3273b848cd51e689ee12381512b3bd9965d3c22ffeac44
                                                  • Opcode Fuzzy Hash: aa64b701f648c89d4f83c9e67f152ad506cafdbe2fab3da718c306b810bf8497
                                                  • Instruction Fuzzy Hash: 6141F375604A498BC708DF28DC91A6FB3D6FFC8610F98052CF9169B341DB36E949C792
                                                  Function 10015DF0 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #825.MFC42(00000000), ref: 10015EB1
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989A8,000000FF), ref: 10015EC1
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,100989A8,000000FF), ref: 10015E5C
                                                    • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                  • #825.MFC42(?), ref: 10015F49
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823#825$Open
                                                  • String ID:
                                                  • API String ID: 2004829228-0
                                                  • Opcode ID: 4ae3ca370cfda8762aa8d13eabc5d5ff90e0b2bde75b508d9fa136ebdcbf54e3
                                                  • Instruction ID: 2efc35274b5ba7278b038ebc5a3111e863889b82502acd3cbbaa6e4a2c2e9c7a
                                                  • Opcode Fuzzy Hash: 4ae3ca370cfda8762aa8d13eabc5d5ff90e0b2bde75b508d9fa136ebdcbf54e3
                                                  • Instruction Fuzzy Hash: 0E410275604645CBC708DE28C891A6BB3D6FBC8611F88052CF9568F341EB36EA49C793
                                                  Function 10015C20 Relevance: 6.1, APIs: 4, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #825.MFC42(00000000), ref: 10015CE3
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,10098988), ref: 10015CF7
                                                  • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,10098988), ref: 10015C88
                                                    • Part of subcall function 10015610: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 100156E2
                                                  • #825.MFC42(00000000), ref: 10015D76
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823#825$Open
                                                  • String ID:
                                                  • API String ID: 2004829228-0
                                                  • Opcode ID: 700a397ec51c5c2ed7ecb5a4c3658066741b272a4fb707a3ed6d65b6fcbd4b57
                                                  • Instruction ID: 22f7ffdec03bb76be5668379c17d5a3ef63f933eeaa720f834c9e29fb4dd8e5d
                                                  • Opcode Fuzzy Hash: 700a397ec51c5c2ed7ecb5a4c3658066741b272a4fb707a3ed6d65b6fcbd4b57
                                                  • Instruction Fuzzy Hash: A541FD35608645DFC708DE28D89166FB3E6FBC8610F88052CF9469B351DB32E989CB92
                                                  Function 10002820 Relevance: 6.1, APIs: 4, Instructions: 112stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823$strstr
                                                  • String ID:
                                                  • API String ID: 3700887599-0
                                                  • Opcode ID: 1feb712d2eb87b772129509cba575338db839c6f83ad0c279dda09971329dd7f
                                                  • Instruction ID: e7a3bb7836f99c4b21098aa8e2ae082227a5993f95023b9609139f1e4e40139e
                                                  • Opcode Fuzzy Hash: 1feb712d2eb87b772129509cba575338db839c6f83ad0c279dda09971329dd7f
                                                  • Instruction Fuzzy Hash: 1721AD3A2105180B871CC97DAC1152B7AC2FBC9631B6A432EFA2BC7BD1DEA5DD058380
                                                  Function 10006D50 Relevance: 6.1, APIs: 4, Instructions: 106libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 10006D7E
                                                  • LoadLibraryA.KERNEL32(?), ref: 10006D9A
                                                    • Part of subcall function 100069B0: GetProcessHeap.KERNEL32(00000000,?,?), ref: 100069C0
                                                    • Part of subcall function 100069B0: HeapReAlloc.KERNEL32(00000000), ref: 100069C7
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 10006E08
                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 10006E2F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: HeapRead$AddressAllocLibraryLoadProcProcess
                                                  • String ID:
                                                  • API String ID: 2932169029-0
                                                  • Opcode ID: 0bb20e24d639ff234c6774ad8937788d10a102b94a8500d5cb44c64d04d593d7
                                                  • Instruction ID: 24d0788afd7e564c21ce07679b2cd919d25d482a3edf121e110520330544f2d5
                                                  • Opcode Fuzzy Hash: 0bb20e24d639ff234c6774ad8937788d10a102b94a8500d5cb44c64d04d593d7
                                                  • Instruction Fuzzy Hash: 2C317E76B007069FE310CF29CC80A56B7E9FF493A4B26462AE919C7255EB31E815CB90
                                                  Function 10001D50 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ceil.MSVCRT ref: 10001D8C
                                                  • _ftol.MSVCRT ref: 10001D95
                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?,?,?,?,?,?,?,1001B646,?,000003C0), ref: 10001DA9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocVirtual_ftolceil
                                                  • String ID:
                                                  • API String ID: 3317677364-0
                                                  • Opcode ID: a938f9c99390067515d5bb401682070dd3e948cd9475bed688cee5d7a00ad51b
                                                  • Instruction ID: 80e73f680275ecb85cea3faadb907318f444ef36128b6434ffe1c43a84600ab4
                                                  • Opcode Fuzzy Hash: a938f9c99390067515d5bb401682070dd3e948cd9475bed688cee5d7a00ad51b
                                                  • Instruction Fuzzy Hash: 9911E4757083009BE704DF28EC8275ABBE4FBC03A1F04853EFD498B395DA75A809CA65
                                                  Function 10001E20 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _ftolceil
                                                  • String ID:
                                                  • API String ID: 2006273141-0
                                                  • Opcode ID: c13413cdfef608f17b66785ed65de3a9914b1a525c6f880948e7d8bc7dc34384
                                                  • Instruction ID: 62e5b31a19e4efc706719f2d7f8223bc0b5f5341a1f9df7ec71081677a67e64d
                                                  • Opcode Fuzzy Hash: c13413cdfef608f17b66785ed65de3a9914b1a525c6f880948e7d8bc7dc34384
                                                  • Instruction Fuzzy Hash: 2911A2756483049BE704EF28EC8676FBBE1FB84791F04853DF9498B344DA36A818C666
                                                  Function 10015A40 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LocalSize.KERNEL32(00000000), ref: 10015AAE
                                                  • LocalFree.KERNEL32(00000000), ref: 10015ABA
                                                  • LocalSize.KERNEL32(00000000), ref: 10015AD5
                                                  • LocalFree.KERNEL32(00000000), ref: 10015AE1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$FreeSize
                                                  • String ID:
                                                  • API String ID: 2726095061-0
                                                  • Opcode ID: c0206f096c02150c192f086eedc162ceac66f92a3276f0c0eb43a5dbeb93a699
                                                  • Instruction ID: 9d4eaa0da794f1e2b3889d11efc9f421fde940f342979db69ca44634e0eb0258
                                                  • Opcode Fuzzy Hash: c0206f096c02150c192f086eedc162ceac66f92a3276f0c0eb43a5dbeb93a699
                                                  • Instruction Fuzzy Hash: 2E11EEB9204654DBC221DB14CC91BBFB3D8FF85251F880629F9915F281DF39EC8586AA
                                                  Function 10025220 Relevance: 6.1, APIs: 4, Instructions: 52sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mbstowcs.MSVCRT ref: 10025257
                                                  • NetUserSetInfo.NETAPI32(00000000,?,000003F0,?,00000000,?,?,?), ref: 1002528E
                                                  • Sleep.KERNEL32(00000064,00000000,?,000003F0,?,00000000,?,?,?), ref: 100252B2
                                                    • Part of subcall function 10025700: LocalSize.KERNEL32(00000000), ref: 10025710
                                                    • Part of subcall function 10025700: LocalFree.KERNEL32(00000000,?,10025C00,00000001,?,00000000,00000001,?,?), ref: 10025720
                                                  • LocalFree.KERNEL32(?,?,?,?), ref: 100252C4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$Free$InfoSizeSleepUsermbstowcs
                                                  • String ID:
                                                  • API String ID: 2733533-0
                                                  • Opcode ID: 6a9604ccc34c4b0797383264fcae3a00f4c44b13357fa65a3340c00f3e20fbd0
                                                  • Instruction ID: 15c901b137dd358fda9146c8f6f94cc6f523190a05e50031364fc71d2f867a2a
                                                  • Opcode Fuzzy Hash: 6a9604ccc34c4b0797383264fcae3a00f4c44b13357fa65a3340c00f3e20fbd0
                                                  • Instruction Fuzzy Hash: 02110835218301ABE714CB28DC85FDB77D9AFD8705F044A2DF585822D1EBB4E54C8693
                                                  Function 100049A0 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationnetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097CDC,000000FF,1001DDF6), ref: 100049DC
                                                  • CloseHandle.KERNEL32(?), ref: 100049FF
                                                  • CloseHandle.KERNEL32(?), ref: 10004A08
                                                  • WSACleanup.WS2_32 ref: 10004A0A
                                                    • Part of subcall function 10004F20: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10004F4A
                                                    • Part of subcall function 10004F20: CancelIo.KERNEL32(?), ref: 10004F57
                                                    • Part of subcall function 10004F20: InterlockedExchange.KERNEL32(?,00000000), ref: 10004F66
                                                    • Part of subcall function 10004F20: closesocket.WS2_32(?), ref: 10004F73
                                                    • Part of subcall function 10004F20: SetEvent.KERNEL32(?), ref: 10004F80
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$CancelCleanupEventExchangeInterlockedObjectSingleWaitclosesocketsetsockopt
                                                  • String ID:
                                                  • API String ID: 136543108-0
                                                  • Opcode ID: c40254e04adc77fad543b95add6b34e372d7ac014e393a6428c3a2a647f4d71d
                                                  • Instruction ID: af8d02120cf7308e6d709f2e7e2ecce89aa86b165303e1ddd931105c7dc64684
                                                  • Opcode Fuzzy Hash: c40254e04adc77fad543b95add6b34e372d7ac014e393a6428c3a2a647f4d71d
                                                  • Instruction Fuzzy Hash: B811BF79008B41DFD324DF28C844B9AB7E8EF85620F044B1CF0AA432D1DBB864098B63
                                                  Function 10011E20 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E47
                                                  • #940.MFC42(?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E7E
                                                  • #535.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011E8F
                                                  • #800.MFC42(?,?,?,?,?,1009881F,000000FF,10007B21,?,00000000,00000000), ref: 10011EA5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #535#537#800#940
                                                  • String ID:
                                                  • API String ID: 1382806170-0
                                                  • Opcode ID: 6f5b847d5374a9d418dd2c0dc61e1757aeba104c962d883d24d17fcf50d4bf0c
                                                  • Instruction ID: 1b94c52f3496be9ecc741279a921140b636ff9e4308d57c3df3fe77fcebb6b55
                                                  • Opcode Fuzzy Hash: 6f5b847d5374a9d418dd2c0dc61e1757aeba104c962d883d24d17fcf50d4bf0c
                                                  • Instruction Fuzzy Hash: E2018B7550C7429FD304DF18C850B9BBBE1EB95764F408A0DF895872A2DB74E84A8B92
                                                  Function 100115C0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #536#537#800#922
                                                  • String ID:
                                                  • API String ID: 1475696894-0
                                                  • Opcode ID: 7d1a2c313bb10d832db081e31ac023a115b9d5a741b1015456ccb2ce16f95c01
                                                  • Instruction ID: 1cf16686c75a57ace72aecc56e9772a672cb7b67628aacae2db0a16f8193c9c6
                                                  • Opcode Fuzzy Hash: 7d1a2c313bb10d832db081e31ac023a115b9d5a741b1015456ccb2ce16f95c01
                                                  • Instruction Fuzzy Hash: 2301B5B6204650AFC304DF58DD01F9AF7E4FB88B14F408A2DF98997781C779A904CB92
                                                  Function 1002CB60 Relevance: 6.0, APIs: 4, Instructions: 37networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 1002CB6A
                                                  • htons.WS2_32 ref: 1002CB92
                                                  • connect.WS2_32(00000000,?,00000010), ref: 1002CBA5
                                                  • closesocket.WS2_32(00000000), ref: 1002CBB1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: closesocketconnecthtonssocket
                                                  • String ID:
                                                  • API String ID: 3817148366-0
                                                  • Opcode ID: eb37e080dc3f1f8ccbdf2bbb095a56ed3045b64092a9622a6cfcea14b4e0b0e5
                                                  • Instruction ID: e8f6fcb377fdd042e502e5b9bb1bca880f3579ad8180536aff2f54e253c3389a
                                                  • Opcode Fuzzy Hash: eb37e080dc3f1f8ccbdf2bbb095a56ed3045b64092a9622a6cfcea14b4e0b0e5
                                                  • Instruction Fuzzy Hash: E0F0F6385143306BE700EB7C9C8AADBB7E4FF84324F844B49F9A8822E1E27084045786
                                                  Function 1002C320 Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WTSQuerySessionInformationA.WTSAPI32(00000000,000000FF,00000005,?,?), ref: 1002C33C
                                                  • #823.MFC42(00000100,774D1760,00000000,000000FF,00000005,?,?), ref: 1002C34B
                                                  • lstrcpyA.KERNEL32(00000000,?,?), ref: 1002C35B
                                                  • WTSFreeMemory.WTSAPI32(?), ref: 1002C366
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: #823FreeInformationMemoryQuerySessionlstrcpy
                                                  • String ID:
                                                  • API String ID: 3008764780-0
                                                  • Opcode ID: 0d88bfbc678714cad99cd30844ed1c893ef2e85d3cf852497a73032b9528ba91
                                                  • Instruction ID: 0e0dc6ce2e22f62c944f194f199933a30fb1a1041a33420a8a3a97c55cf99f31
                                                  • Opcode Fuzzy Hash: 0d88bfbc678714cad99cd30844ed1c893ef2e85d3cf852497a73032b9528ba91
                                                  • Instruction Fuzzy Hash: F9F0A7B96083116BDB00DB78AC46D9B76E4EB84A11F444A2CF948D2280F574ED08C7F2
                                                  Function 1000B570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32First.KERNEL32(?,00000128), ref: 1000B5B7
                                                  • Process32Next.KERNEL32(?,00000128), ref: 1000B5D5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$FirstNext
                                                  • String ID: ???
                                                  • API String ID: 1173892470-1053719742
                                                  • Opcode ID: 712854ab25addc2021797cccdb898ca77ef716bf3bd6518fcb4f01374f701812
                                                  • Instruction ID: f3f52207799e89cd2a562506939f2cbbbb926e58e4282d7ba594e292c06b3d7f
                                                  • Opcode Fuzzy Hash: 712854ab25addc2021797cccdb898ca77ef716bf3bd6518fcb4f01374f701812
                                                  • Instruction Fuzzy Hash: CE010432205A040BD728D9399C419AFB7D6EFC43A0F91462DF826C32C4DF78DE08C691
                                                  Function 1000D870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(chrome.exe), ref: 1000D897
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • Sleep.KERNEL32(000003E8), ref: 1000D8A9
                                                    • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                    • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                    • Part of subcall function 10004A60: ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                    • Part of subcall function 10004A60: socket.WS2_32 ref: 10004A86
                                                    • Part of subcall function 100049A0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097CDC,000000FF,1001DDF6), ref: 100049DC
                                                    • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 100049FF
                                                    • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 10004A08
                                                    • Part of subcall function 100049A0: WSACleanup.WS2_32 ref: 10004A0A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$#4202#537#5572#800CloseCreateEventHandleNext$CleanupFirstObjectResetSingleSleepSnapshotStartupToolhelp32Waitsocket
                                                  • String ID: chrome.exe
                                                  • API String ID: 294463573-2619149582
                                                  • Opcode ID: 413f5fac699760af77317ec5e9624fd3d42d91d95b11ee00c734fac729361dcc
                                                  • Instruction ID: e8cfcc91c9c3e5e852571cccd77955ef4875b4b34182dd60292e79469f439210
                                                  • Opcode Fuzzy Hash: 413f5fac699760af77317ec5e9624fd3d42d91d95b11ee00c734fac729361dcc
                                                  • Instruction Fuzzy Hash: 5F117FB80086C19FE324DB64D951BDFB7E0EB95750F404A2DE8A9432C1DF342504CBA3
                                                  Function 1000D970 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #537.MFC42(chrome.exe), ref: 1000D997
                                                    • Part of subcall function 1000BBB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000BBDA
                                                    • Part of subcall function 1000BBB0: Process32First.KERNEL32(00000000), ref: 1000BBEF
                                                    • Part of subcall function 1000BBB0: #4202.MFC42(00000000), ref: 1000BC03
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC0E
                                                    • Part of subcall function 1000BBB0: #537.MFC42(?,00000000,00000000,00000000), ref: 1000BC24
                                                    • Part of subcall function 1000BBB0: #4202.MFC42 ref: 1000BC35
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF), ref: 1000BC78
                                                    • Part of subcall function 1000BBB0: #800.MFC42(000000FF), ref: 1000BC88
                                                    • Part of subcall function 1000BBB0: Process32Next.KERNEL32(00000000,00000000), ref: 1000BC93
                                                    • Part of subcall function 1000BBB0: #5572.MFC42(000000FF,00000000,00000000,00000000), ref: 1000BCA9
                                                    • Part of subcall function 1000BBB0: #800.MFC42 ref: 1000BCC0
                                                  • Sleep.KERNEL32(000003E8), ref: 1000D9A9
                                                    • Part of subcall function 100048B0: WSAStartup.WS2_32(00000202,?), ref: 1000491D
                                                    • Part of subcall function 100048B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000492B
                                                    • Part of subcall function 10004A60: ResetEvent.KERNEL32(?,?,00000000), ref: 10004A73
                                                    • Part of subcall function 10004A60: socket.WS2_32 ref: 10004A86
                                                    • Part of subcall function 100049A0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,?,00000000,10097CDC,000000FF,1001DDF6), ref: 100049DC
                                                    • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 100049FF
                                                    • Part of subcall function 100049A0: CloseHandle.KERNEL32(?), ref: 10004A08
                                                    • Part of subcall function 100049A0: WSACleanup.WS2_32 ref: 10004A0A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$#4202#537#5572#800CloseCreateEventHandleNext$CleanupFirstObjectResetSingleSleepSnapshotStartupToolhelp32Waitsocket
                                                  • String ID: chrome.exe
                                                  • API String ID: 294463573-2619149582
                                                  • Opcode ID: 834e8d7f9cad2c839f45d9171e9358a02ce01b8385012bf2e1b9649d4ff1e002
                                                  • Instruction ID: f982f30193c1ad135014148bd7e42fe507ed22380a7cef9b94e46ee28a1a2cc4
                                                  • Opcode Fuzzy Hash: 834e8d7f9cad2c839f45d9171e9358a02ce01b8385012bf2e1b9649d4ff1e002
                                                  • Instruction Fuzzy Hash: 20117F785086C09BE324DB64DA51BDFB7E0EB95750F404A2DE8A9432C1DF382604CBA3
                                                  Function 10024660 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 1002CDD0: Sleep.KERNEL32(00000064,?,?), ref: 1002CDE1
                                                    • Part of subcall function 1002CDD0: wsprintfA.USER32 ref: 1002CE0C
                                                    • Part of subcall function 1002CDD0: closesocket.WS2_32(00000000), ref: 1002CE24
                                                    • Part of subcall function 1002CDD0: TerminateThread.KERNEL32(?,00000000), ref: 1002CE5C
                                                    • Part of subcall function 1002CDD0: CloseHandle.KERNEL32(1012E204), ref: 1002CE63
                                                  • gethostbyname.WS2_32(1012B958), ref: 10024678
                                                  • inet_ntoa.WS2_32(?), ref: 1002469B
                                                    • Part of subcall function 1002CC90: _snprintf.MSVCRT ref: 1002CCCF
                                                    • Part of subcall function 1002CC90: recv.WS2_32(00000000,?,00000002,00000000), ref: 1002CD31
                                                    • Part of subcall function 1002CC90: CreateThread.KERNEL32(00000000,00000000,1002CBF0,?,00000000,?), ref: 1002CD80
                                                    • Part of subcall function 1002CC90: CloseHandle.KERNEL32(00000000), ref: 1002CD94
                                                    • Part of subcall function 1002CC90: closesocket.WS2_32(00000000), ref: 1002CDB1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleThreadclosesocket$CreateSleepTerminate_snprintfgethostbynameinet_ntoarecvwsprintf
                                                  • String ID: 127.0.0.1
                                                  • API String ID: 4129115345-3619153832
                                                  • Opcode ID: 4cd9c32e3d450962063fce265e8c3a30ff2eecc2af5e5d8994ec816568a30d23
                                                  • Instruction ID: d83c675e81e86afd25465515131b9e62cf78bbad0e82c00f8af347e2803ba3d5
                                                  • Opcode Fuzzy Hash: 4cd9c32e3d450962063fce265e8c3a30ff2eecc2af5e5d8994ec816568a30d23
                                                  • Instruction Fuzzy Hash: 02E0ED7A2106119BC614DBA8E884DEB77E6FBDC720B04855DF94AD7211C6347841D761
                                                  Function 10001C80 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(?,00000000,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001C8E
                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001CA4
                                                  • memmove.MSVCRT(?,?,00000000,?,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000), ref: 10001CF5
                                                  • LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,10004E03,?,00000003,00000003,00000000,?,10004C8B,?,00000000,?), ref: 10001D1B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$Leave$Entermemmove
                                                  • String ID:
                                                  • API String ID: 72348100-0
                                                  • Opcode ID: b2c8c82c961791ae8f53fef40cbf23f5f2d1006caee183a225647bbe481849f1
                                                  • Instruction ID: 50b30369da4871338d3e5076dbae6429fca2f6132d25b88ab6d76ff2db9ab769
                                                  • Opcode Fuzzy Hash: b2c8c82c961791ae8f53fef40cbf23f5f2d1006caee183a225647bbe481849f1
                                                  • Instruction Fuzzy Hash: AE11BF3A3042154FAB08EF749C858EFB799FF94290704452EF907CB346DB71ED0886A0
                                                  Function 100089EE Relevance: 5.0, APIs: 4, Instructions: 50stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
                                                  • String ID:
                                                  • API String ID: 3289936468-0
                                                  • Opcode ID: 242f31426ad57f69496cf5a359c15a3d78e904203da98ddbbe90ee3972058db7
                                                  • Instruction ID: e5bcf6fcaf6474cf11c06b2f5d739369e89de0018cd217908e7742b1c919ccc1
                                                  • Opcode Fuzzy Hash: 242f31426ad57f69496cf5a359c15a3d78e904203da98ddbbe90ee3972058db7
                                                  • Instruction Fuzzy Hash: DB0180B5C04665AFE711DF188C44BEABFE8FB0AAA0F040656E995A3645C7345E028BE1
                                                  Function 100069B0 Relevance: 5.0, APIs: 4, Instructions: 18memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,?,?), ref: 100069C0
                                                  • HeapReAlloc.KERNEL32(00000000), ref: 100069C7
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 100069D5
                                                  • HeapAlloc.KERNEL32(00000000), ref: 100069DC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3880549512.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.3880517831.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880685991.00000000100EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880846924.00000000100FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880894842.000000001011E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880925621.0000000010120000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3880978292.000000001019A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: 8467137ebeee5c80095378d21e104a4eec5c859026c898dd95d044c84a894ab9
                                                  • Instruction ID: 47877cb6062bd81062e19e0104322f8483190e017e00c23344b6b727d1ead73d
                                                  • Opcode Fuzzy Hash: 8467137ebeee5c80095378d21e104a4eec5c859026c898dd95d044c84a894ab9
                                                  • Instruction Fuzzy Hash: B6D04C75604212ABFE449BA8CD8DFAA7BADFB84745F058948F54DCA094C6709840DB31